Administration Guide

Junos® Pulse Mobile Security Gateway

Release 5.0R1

Published: 2013-10-29

Copyright © 2013, Juniper Networks, Inc. Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 408-745-2000 www.juniper.net Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

About This Guide ...... ix Documentation and Release Notes ...... ix Documentation Conventions ...... ix Documentation Feedback ...... x Requesting Technical Support ...... x Self-Help Online Tools and Resources ...... x Opening a Case with JTAC ...... xi

Part 1 Junos Pulse Mobile Security Gateway Chapter 1 Getting Started ...... 3 Pulse Mobile Security Overview ...... 3 Enterprise and Consumer Deployments ...... 4 Administrators and Roles ...... 4 Customer Service Roles ...... 6 New Features in Pulse Mobile Security Release 5.0 ...... 6 Accessing the Pulse Mobile Security Gateway ...... 8 Using the Pulse Mobile Security Gateway Management Console ...... 8 Chapter 2 Setting Up the Pulse Mobile Security Gateway ...... 11 Adding a Partner ...... 11 Adding an Enterprise ...... 12 Editing the Default Enterprise Policy Settings ...... 13 Adding Administrator Accounts ...... 17 Adding an Administrator Role ...... 18 Adding a User Account ...... 20 Assigning a Role and User Control List to a User Account ...... 21 Registering Devices ...... 21 Manual Registration of iOS Devices ...... 21 Manual Registration of non-iOS Devices ...... 22 Automatic Registration ...... 22 Configuring Device Identity Servers ...... 23 Importing Certificates for Device Identity Servers ...... 24 Importing the Certificate for the Pulse Mobile Security Gateway ...... 24 Configuring GCM, SMS, and System Log Settings ...... 25 Configuring Application APNS Certificates ...... 28 Obtaining an Application APNS Certificate ...... 28 Uploading Application APNS Certificates ...... 30

Updating Malware Signatures ...... 30 Creating Certificates for the Pulse Mobile Security Gateway ...... 31 Importing Certificates for the Control Center and Signature Update Server ...... 32 Configuring the Control Center Settings ...... 32 Configuring the Signature Update Server ...... 33 Chapter 3 Profiles ...... 35 Defining Prohibited Applications ...... 35 Managing MDM Profiles ...... 36 Adding and Editing MDM Profiles ...... 36 General Settings ...... 37 Exchange ActiveSync Settings ...... 37 Security & Control ...... 38 VPN Settings ...... 41 SCEP Authentication Settings (iOS Devices Only) ...... 43 Wi-Fi Connectivity Settings ...... 44 Tracking (iOS Devices) ...... 46 Importing and Exporting MDM Profiles ...... 47 Setting the Default MDM Profile ...... 48 Deleting MDM Profiles ...... 49 Managing Device Profiles ...... 49 Adding and Editing Device Profiles ...... 49 General Settings ...... 50 UI Mode Settings ...... 50 Anti Virus Settings ...... 53 Monitor and Control Settings ...... 54 Firewall Settings ...... 55 Antispam Settings ...... 55 Sim Change Settings ...... 56 Setting the Default Device Profile ...... 56 Deleting Device Profiles ...... 57 Managing Firewall Rules and Profiles ...... 57 Adding Firewall Rules ...... 58 Modifying Firewall Rules ...... 58 Deleting Firewall Rules ...... 59 Adding Firewall Profiles ...... 59 Modifying Firewall Profiles ...... 59 Deleting Firewall Profiles ...... 60 Managing Antispam Rules and Profiles ...... 60 Adding an Antispam Rule ...... 60 Modifying an Antispam Rule ...... 61 Deleting Antispam Rules ...... 61 Adding an Antispam Profile ...... 61 Modifying an Antispam Profile ...... 62 Deleting Antispam Profiles ...... 62

Chapter 4 User Accounts ...... 63 Managing User Accounts ...... 63 Adding a User Account ...... 63 Modifying User Accounts ...... 64 Deleting User Accounts ...... 65 Managing User Groups ...... 66 Chapter 5 Devices ...... 67 Managing Devices ...... 67 Adding Devices Manually ...... 67 Modifying Device Settings ...... 68 Applying Profiles to Devices ...... 72 Sending Device Commands ...... 73 Backing Up and Restoring Personal Data ...... 77 Managing Device Groups ...... 78 Chapter 6 Reports ...... 79 Viewing Reports ...... 79 Removing Applications From Managed Devices ...... 82 Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices ...... 83 Tracking Devices with GPS ...... 84 Viewing the Gateway and Change History Logs ...... 85 Viewing Device Compliance Messages ...... 86

Part 2 Appendices Appendix A Summary of Supported Features ...... 91 Pulse Mobile Security Features by Device Type ...... 91

Part 3 Index

Index ...... 97

About This Guide ...... ix Table 1: Notice Icons ...... ix

Part 1 Junos Pulse Mobile Security Gateway Chapter 3 Profiles ...... 35 Table 2: General Settings ...... 50 Table 3: UI Mode Settings ...... 51 Table 4: Anti Virus Settings ...... 53 Table 5: Monitor and Control Settings ...... 54 Table 6: Firewall Settings ...... 55 Table 7: Anti Spam Settings ...... 55 Table 8: SIM Change Settings ...... 56 Chapter 5 Devices ...... 67 Table 9: Device Commands ...... 74 Chapter 6 Reports ...... 79 Table 10: Device Compliance Parameters ...... 86

Part 2 Appendices Appendix A Summary of Supported Features ...... 91 Table 11: Feature Support by Device Type ...... 91 Table 12: Personal Data Erased by Handset Wipe Command ...... 93

The Junos Pulse Mobile Security Suite consists of the Pulse client application and the cloud-based Mobile Security Gateway, with its associated management console and end-user dashboard. This guide describes how to configure and manage Pulse client devices using the management console of the Mobile Security Gateway.

• Documentation and Release Notes on page ix

• Documentation Conventions on page ix

• Documentation Feedback on page x

• Requesting Technical Support on page x

Documentation and Release Notes

For a list of related Junos Pulse Mobile Security documentation, see http://www.juniper.net/techpubs/en_US/release-independent/junos-pulse-mobile/index.html. If the information in the latest Release Notes differs from the information in the documentation, follow the Release Notes.

To obtain the most current version of all Juniper Networks technical documentation, see the products documentation page on the Juniper Networks website at http://www.juniper.net/techpubs.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page ix defines notice icons used in this guide.

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected], or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html.

• Getting Started on page 3

• Setting Up the Pulse Mobile Security Gateway on page 11

• Profiles on page 35

• User Accounts on page 63

• Devices on page 67

• Reports on page 79

The following topics provide an overview of the Junos Pulse Mobile Security Gateway.

• Pulse Mobile Security Overview on page 3

• Accessing the Pulse Mobile Security Gateway on page 8

• Using the Pulse Mobile Security Gateway Management Console on page 8

Pulse Mobile Security Overview

The Pulse Mobile Security Gateway lets you centrally manage mobile (handheld) devices that are protected by the Junos Pulse Mobile Security Suite. The Pulse Mobile Security Suite is client software that protects mobile devices from viruses, spyware, identity theft and other threats. Users can install the Pulse client software from the applications store associated with any of the following mobile operating systems:

• Apple iOS

• RIM Blackberry

• Google Android

• Nokia Symbian

• Windows Mobile

For a list of the supported versions of each operating system, see the Junos Pulse Mobile Supported Platforms Guide, which is available at http://www.juniper.net/support/products/pulse/mobile/.

The Layer 3 VPN feature of the Pulse client (not supported by Blackberry) provides secure access to private networks by connecting to a Juniper Networks SA Series SSL VPN appliance. To activate all other security features, and allow the gateway to manage the device, the mobile device must be registered with the Pulse Mobile Security Gateway.

The Pulse Mobile Security Suite provides the following features:

• Antivirus—Devices are protected by real-time antivirus and malware protection with automatic updates (non-iOS devices only). You can scan files across network connections, perform on-demand scans, and provide virus and malware detection alerts. Note that users can enable the following options on Android devices:

• Scan Memory Card on Insert—The memory card is scanned when it is first installed (if the power is on).

• Scan application on install—Applications are scanned for malware during installation. If the administrator defines any prohibited applications, scanning occurs during installation even if this feature is disabled.

• Android malware detection—Android devices receive signatures to detect both malware and suspicious applications, and you can define a list of prohibited applications. Depending on the device type, malware and prohibited applications are deleted automatically or the user is prompted periodically to perform the deletion.

• Personal firewall—Provides inbound and outbound IP address and port filtering.

• Antispam—Provides filtering to block voice and SMS spam and to deny unknown or unwanted calls.

• Backup and restore—The contact list and calendar on non-iOS devices can be backed up in a standard format and restored to another device.

• Loss and theft protection—From the gateway, you can perform remote lock, remote wipe, GPS locate and track, remote alarm and notification, and SIM change notification.

• Device monitoring and control—The gateway provides tools for application inventory and removal, monitoring (SMS, MMS, e-mail message content, and photos stored on device), and the ability to view the call log and the user’s contacts.

• Consumer Dashboard—Allows users to log in to the gateway to locate a lost or stolen device, view reports of the device usage, or use other security features.

NOTE: The firewall and antispam features are supported only by the Windows Mobile and Symbian devices. For more information about version support for each device type, see the Junos Pulse Supported Mobile Platforms Guide.

Enterprise and Consumer Deployments

The features deployed for enterprise and consumer users may differ. For example, a typical enterprise solution may include the Junos Pulse SSL VPN client features, while a typical consumer solution might be comprised of just the Pulse client's anti-malware and anti-theft features.

Administrators and Roles

Each gateway administrator account requires a role that determines the functions that the user can perform and a user access control list that determines the mobile devices the user can access. User roles and accounts can be defined at each administrative level (root, partner, and enterprise), but most administrators will have an enterprise account.

Each role specifies the permissions (view, add, edit, delete, and move) for the following objects that you manage in the Pulse Mobile Security Gateway:

• Partner—A group of one or more enterprises. Only root and partner administrators can add or view partners.

• Enterprise—An organization that manages registered mobile devices. Registered devices exist only at the enterprise level. Each enterprise has a Consumer or Enterprise license. Enterprise administrators can allow users to log in to the gateway dashboard to locate a lost phone or use other security features.

• User—An enterprise user account is created automatically when a mobile device is registered. To create an administrator account, you can add a role and access control list to an existing user account, or manually create a new account.

• User Group—Enterprise user accounts can be organized into user groups, such as by department or business unit. You can then issue commands to the devices associated with the users in one or more groups.

• Device—A device record is created in the appropriate enterprise when a mobile device is registered. Mobile devices are identified by their Mobile Subscriber Integrated Services Digital Network (MSISDN) number, which includes the phone number, country code, and area code), and International Mobile Station Equipment Identity (IMEI).

• Device Group—Enterprise devices can be organized into device groups. You can then issue commands to the devices in one or more groups or view reports for a selected device group.

• Profiles—Groups of rules that you can assign to an enterprise or apply to specific devices. Profiles assigned to an enterprise are applied to each device that registers with the enterprise. The current profiles are:

• MDM Profile—Defines various settings for iOS and Android devices, such as user restrictions, password requirements, and the VPN and Wi-Fi networks that users can access.

• Device Profile—Defines antivirus, monitor and control, and SIM change settings for all devices, as well as the following profiles for Windows Mobile and Symbian devices.

• Firewall Profile—Defines inbound and outbound Internet access permissions.

• Antispam Profile—Blocks inbound calls and SMS messages from specific phone numbers.

Each role also lets you allow or disallow certain tasks, such as sending commands to devices or viewing specific device reports. If you are not authorized for certain tasks, the related menu items and buttons are hidden or disabled.

For each new enterprise, a root or partner administrator must create the enterprise and add an enterprise user account and role for use by the enterprise administrator. Partner administrators can manage all enterprises associated with the partner. Root administrators can manage all partners and enterprises. For more information about user accounts and roles, see “Adding Administrator Accounts” on page 17.

Customer Service Roles

Juniper Networks provides Customer Service personnel with credentials that allow access to all tasks related to the support of Pulse client users. enterprise tasks regarding groups, profiles, and policies are not performed by support personnel.

NOTE: Each chapter of this guide begins by indicating whether enterprise administrators or customer service personnel typically performs the tasks in that chapter. More specific notes about the tasks relevant to customer service personnel are included in each section, as appropriate.

New Features in Pulse Mobile Security Release 5.0

Release 5.0R1 includes the following new features:

• Pulse client enhancements—Junos Pulse 5.0R1 clients support the following new features:

• Secure Mail—The new Enterprise tab allows iOS devices to be onboarded (registered) with the Secure Access Service to use ActiveSync and e-mail encryption. E-mail access can be blocked for devices that are lost or stolen (see the Junos Pulse Secure Access Service Administration Guide).

• Riverbed acceleration—Riverbed Steelhead appliances can be used with the Secure Access Service to provide data acceleration to Android devices. If the Secure Access Service is not used, users can enable acceleration by entering the address of the Steelhead Mobile Controller (SMC) on the Settings screen.

• Smartcard authentication—Smartcards on iOS devices allow users to enter a pin number to establish a VPN connection with the Secure Access Service. Software provided by Thursby Software Systems, Inc. supports multiple card formats, including the U.S. DoD Common Access Card (CAC) and the NIST Personal Identification and Verification (PIV) card, as well as card readers from Thursby, Tactivo, and other vendors.

• Android key store—Certificates can be imported to Android devices from a secure digital (SD) card and used to establish a VPN connection with the Secure Access Service.

• RSA soft token—An RSA soft token can be imported to iOS devices and used to establish a VPN connection with the Secure Access Service. The administrator can e-mail the token and password to the user, and the user can tap the attachment, select Pulse, and import the token.

• SDK for SSL VPN—An SSL VPN SDK is now available for Android and iOS devices that allows third-party applications to establish a VPN directly with the Juniper Networks Secure Access Service.

• API for VPN configuration—The Android Pulse client includes an API that lets a third-party application establish a VPN through the Pulse client. To use the API, the application must be predefined in the Pulse client.

• iOS 7 support—When an iOS 7 device that has Junos Pulse 4.2R9 (or later) registers with the gateway, a Juniper device ID (JDID) is sent to the gateway and saved as the device identifier (DID). The JDID contains the value generated by iOS (the UDID and Wi-Fi MAC address are no longer supported as device identifiers). The JDID also can be used as:

• The device identifier when adding an iOS device manually (see “Adding Devices Manually” on page 67)

• The subject or alternate subject name in the SCEP section of an MDM profile (see “Adding and Editing MDM Profiles” on page 36)

• The username in the WiFi section of an MDM profile

• A placeholder (msguserjdid) in an MDM profile created with the IPCU (see “Importing and Exporting MDM Profiles” on page 47)

• Compliance reporting and filtering—The Devices page indicates when an Android device does not have the Device Administrator enabled or is noncompliant with the password settings in the MDM profile. You can also search for devices that are compliant or noncompliant (see “Modifying Device Settings” on page 68).

• Auto-lock setting—More selections have been added for the length of time that a device can be inactive before it is locked (up to 24 hours). For iOS devices, the maximum setting is 5 minutes (see “Adding and Editing MDM Profiles” on page 36).

• Malware scan interval—The units selection for the Android malware scan interval has been changed to days and weeks (see “Managing Device Profiles” on page 49).

• Log filtering—The gateway log entries can be viewed for a specific device and message type, such as device registration messages (see “Viewing the Gateway and Change History Logs” on page 85).

• Server status reporting—The About page now displays status and operational information for each JBoss server in a multiserver deployment.

• Compatibility with previous releases—Release 5.0 of the gateway supports all previous Junos Pulse clients, but requires Pulse 5.0 clients to support the new features in this release. Pulse 5.0 clients are also compatible with earlier versions of the gateway.

Related • Accessing the Pulse Mobile Security Gateway on page 8 Documentation • Using the Pulse Mobile Security Gateway Management Console on page 8

Accessing the Pulse Mobile Security Gateway

The URL used to access the management console of a Pulse Mobile Security Gateway depends on whether you are hosting the gateway in your own network. To access the management console of a gateway hosted by Juniper Networks, enter the following URL in your browser:

https://mss.junospulse.juniper.net

Use the login credentials provided for you. If you are the root administrator logging in for the first time to a gateway in your own network, use [email protected] and password for the username and password.

If access to the gateway dashboard is enabled, users can use their registration e-mail address and password to log in to the dashboard at the following URL to view device reports, locate a missing device, or use other security features. The dashboard URL for a gateway hosted by Juniper Networks is:

https://mss.junospulse.juniper.net/smobile/dashboard/login.htm

For Windows Mobile and Symbian users, who can enter just the license key during registration, the IMEI number is used for the e-mail address ([email protected]) and password. Administrators can change the defaults and notify the user.

NOTE: To use the Pulse Mobile Security Gateway, your browser must be Google Chrome version 6.0, Microsoft Internet Explorer version 7.0 or 8.0, or Mozilla Firefox 3.0, 3.5, or 3.6. JavaScript and cookies must be enabled on the browser.

Related • Using the Pulse Mobile Security Gateway Management Console on page 8 Documentation

Using the Pulse Mobile Security Gateway Management Console

The management console of the Pulse Mobile Security Gateway has a central data panel and a top panel for additional features, such as search. Administrators with access to multiple partners or enterprises can select a partner or enterprise from the drop-down lists at the top of the page (see Figure 1 on page 9). For customer service personnel and other administrators who manage a single enterprise and its associated users and devices, only the enterprise name is displayed at the top of the page.

Figure 1: Pulse Mobile Security Gateway Management Console

The top panel provides the following selections:

• Search—Lets you search for device identifiers, or the names of users, enterprises, user groups, or device groups. The device identifiers include the phone number (MSISDN) and the DID, ESN, IMEI, IMSI, and UUID. As you type in a value, a list of matching items is displayed.

• My Account—Lets you change your login account.

• Help—Provides the gateway software versions the list of commands that can be sent to managed devices, and the current list of known viruses. At the root level, the About link also provides information about the system status and operation.

The following tabs are presented below the top panel, depending on the user’s access privileges:

• Home—Shows the list of partners at the root level, the list of enterprises for a partner, or the basic settings for an enterprise.

• Reporting—Shows a summary of virus and registration activity and provides links to more detailed reports. For more information about reports, see “Viewing Reports” on page 79.

• Profiles—Lets you define device profiles for non-iOS devices, MDM profiles for Android and iOS devices, firewall and antispam profiles for Windows Mobile and Symbian devices, and prohibited applications for Android devices.

• Users—Lists the current user accounts. When a mobile device is registered, the gateway creates a user account that includes the device information. You can edit a user account, reset the password, and assign a user role and access control list to an administrator account.

• Devices—Shows the registered mobile devices in an enterprise. You can edit the settings for individual devices, apply device and MDM profiles to devices, move devices to a device group, and send commands to selected devices.

• Groups—Lists the user groups and device groups. You can add and delete device and user groups, and send commands to the devices in one or more groups.

• Roles—Lets you to define the roles that specify an administrator’s privileges and assign the roles to administrator accounts.

• Settings—Lets you define the system log severity level, SMS aggregator settings, and the GCM settings for Android devices. Root administrators can configure Device Identity Servers, certificates, and connections to the Control Center and Signature Update Server.

• Logs—Provides access to the gateway logs at the root and enterprise levels. You can search the logs and view the log entries to assist in troubleshooting and reporting.

Related • Accessing the Pulse Mobile Security Gateway on page 8 Documentation • Registering Devices on page 21

This chapter contains information for partner and enterprise administrators, and includes topics that are relevant to service providers who install the Pulse Mobile Security Gateway in their own network. Typically, customer service personnel do not perform these tasks and do not have access to these settings. Most setup tasks are performed by Juniper Networks personnel before users install the Junos Pulse client and register with the gateway.

• Adding a Partner on page 11

• Adding an Enterprise on page 12

• Editing the Default Enterprise Policy Settings on page 13

• Adding Administrator Accounts on page 17

• Registering Devices on page 21

• Configuring Device Identity Servers on page 23

• Configuring GCM, SMS, and System Log Settings on page 25

• Configuring Application APNS Certificates on page 28

• Updating Malware Signatures on page 30

Adding a Partner

A partner is used to identify a group of enterprises. At least one partner is required, and the Default Partner is created automatically. A root administrator can define new partners or change the Default Partner. Root administrators can then add one or more enterprises or create a user account for a partner administrator who can add the needed enterprises.

To add a partner:

1. Log in to the gateway as a root administrator.

2. On the Home tab, click Add Partner.

3. Specify the following properties:

• Partner Name—Typically, the name of the organization.

• Notes—Information such as how to contact the partner administrator.

4. Click Save to create the partner.

Related • Adding an Enterprise on page 12 Documentation

Adding an Enterprise

An enterprise is any organization that manages mobile devices. For each partner, a Default Enterprise is created automatically. A root or partner administrator can define new enterprises or change the Default Enterprise. Root or partner administrators can manage each enterprise or create a user account for an enterprise administrator who can perform enterprise-specific management tasks.

To add an enterprise:

1. Log in to the gateway as a root or partner administrator.

2. On the Home tab, select the partner where you want to add an enterprise, and click Add Enterprise.

3. Specify the following properties:

Setting Description

Enterprise Name Enter a descriptive name.

Enterprise Code Enter a code that identifies this enterprise to managed devices. If the license type is Enterprise, the enterprise code is used as the license key during registration. The enterprise code must be unique.

License Type Select whether the software is licensed by the enterprise (Enterprise) or by the device (Consumer).

License Count Enter the number of licensed devices.

License Expiration For an enterprise license type, select the license expiration date for the Date or License enterprise and all of its registered devices. For a Consumer license type, Length enter the number of days that each registered device is licensed to use the software. The expiration date cannot exceed 2031.

Require Customer Select the check box to require administrators to create a user account Account before a device can register with the enterprise. If this check box is cleared, a user account is created automatically when a device is registered. If this option is enabled, and a user attempts to register before an account is created, the following warning is written to the log:

Username and Password are required for this enterprise

Allow Insecure Select the check box to allow gateway access for devices that do not use Clients the latest authentication method (selecting this option is recommended).

Setting Description

Allow Manual Select the check box to allow users to register with the enterprise by Registration manually entering a license key. Currently, only Android, Blackberry, and iOS devices can be registered automatically.

Allow Dashboard Select the check box to allow users to log in to the gateway dashboard Access to locate a lost phone or use other security features. If this check box is cleared, the enterprise administrator can use the management console to perform all the tasks available on the dashboard.

Notes Enter more information about the enterprise (optional).

Products Select the features enabled in this enterprise. To change the default settings for each feature, see “Editing the Default Enterprise Policy Settings” on page 13. Disabling a feature hides the relevant sections of the enterprise and device settings, as well as the related device commands.

• Firewall

• Antispam

• Antivirus

• Monitor & Control For Android devices, disabling Antivirus also disables scanning for malware and suspicious applications, but scanning for prohibited applications cannot be disabled. For iOS devices, the GPS Update Period can be set in the MDM profile even when Monitor & Control is disabled.

4. Click Save to add the enterprise to the end of the list of enterprises on the partner Home tab. You may have to refresh the page to see the new enterprise.

5. To change these enterprise settings, click the Edit icon to the right of the enterprise. To change the default policy settings for the enterprise, click the Enterprise Settings icon next to the Edit icon or select the enterprise and click the Settings tab.

Related • Editing the Default Enterprise Policy Settings on page 13 Documentation • Adding a Partner on page 11

Editing the Default Enterprise Policy Settings

Enterprise administrators can change the default policy settings that are applied to new devices when they register with the enterprise. After registration, feature settings can be changed for specific devices (see “Modifying Device Settings” on page 68).

NOTE: The supported features vary by device. If a device does not support a feature, the feature settings are ignored. For example, the firewall and antispam settings apply only to Symbian and Windows Mobile devices.

To view and edit enterprise settings:

1. To view the basic enterprise settings, such as the enterprise code and license, select the Home tab for the enterprise. To change the basic settings, see “Adding an Enterprise” on page 12. If you access the enterprise from another system using SOAP API calls, click Generate UUID to generate a universally unique identifier for the enterprise.

2. To change the enterprise policy settings, select the Settings tab, select the General Settings or MDM Settings in the left frame, edit the settings described in the following table, and click Update.

3. Edit the following settings as needed, and click Update.

Setting Description

General Settings

Software Download Enter the URL where users can download and install the Pulse client for URL their device. If you manually add a device, the gateway sends an SMS message or e-mail to the device with a license key and a link to this URL.

MDM Settings

iOS Default Profile Select the default MDM profiles to be applied to iOS and Android devices Android Default when they register with the enterprise. The two profiles can be the same, Profile except that an imported profile created with the Apple IPCU utility cannot be used for Android devices. If Automatic Profile Assignment is enabled, the default MDM profile is assigned only when the ownership of the device is unknown.

The AutomaticDefault profile (for iOS) and the AutomaticAndroidDefault profile, both of which can be changed, are created automatically for each enterprise. To add or change a profile, click View MDM Profiles. To change the profiles for a device after the device is registered, see “Modifying Device Settings” on page 68.

Device Check-In Select the number of days between the prompts sent to each iOS device Period to check in with the gateway for profile and other updates. Select Disable to stop sending check-in prompts to registered devices.

APNS Certificate

Setting Description

Displays the status and expiration date of the MDM Apple Push Notification Service (APNS) certificate after it is uploaded to the enterprise. Use the Upload button in the next section. The Upload button in this section is for compatibility with the APNS procedure used in release 3.0.

If you are using a Secure Access server, the Host Checker requires the client CA certificate to support iOS devices. To download the client CA certificate for import to a Secure Access server, click Download CA Certificate.

Certificates are valid for one year. When a certificate expires, you can renew it, as described in the next section, or you can click Delete and upload a new certificate.

NOTE: If you delete the existing certificate and install a new one, users of iOS devices who are already registered must uninstall and reinstall the Pulse client.

Setting Description

MDM APNS Certificate Signing Request (CSR)

Generate To manage MDM profiles for iOS devices, an MDM APNS certificate must be uploaded to the enterprise. Without an MDM APNS certificate, iOS devices can register, and iPhones and iPads with 3G support can report their GPS location (dashboard users will see only the GPS location), but the certificate is required for all other features. After a new certificate is installed, users who are already registered must uninstall and reinstall the Pulse client.

Before you begin, note the following:

• If you do not have an Apple ID, go to https://appleid.apple.com to create one.

• If the Control Center is not configured, see “Configuring the Control Center Settings” on page 32. To obtain or renew an APNS certificate:

a. To create a CSR, click Generate, and specify the following information. To renew the current certificate, you can skip to Step c. if the CSR already exists.

• Common Name—Unique name used to identify the certificate.

• Organizational unit—Name of your department.

• Organization—Legal name of your company/organization.

• Locality—Name of the city where your organization is located.

• State (fully spelled out)—State or province name.

• Country(2 letter code)—Country or region code.

b. Click Generate to have the Control Center sign the CSR. Contact Technical Support if the error MSG Control Center failed to sign certificate request is displayed.

c. Click Download and save the apnscsr.plist file.

d. Click Upload CSR to Apple, log in to the Apple portal, and do the following:

i. To obtain a new certificate, click Create a Certificate and accept the terms. To renew the current certificate, click Renew next to the certificate.

ii. Browse to the location of the apnscsr.plist file, and click Upload

iii. Click the Download button next to the generated certificate and save the file locally. The APNS certificate file name is:

MDM__Certificate.pem.

e. On the Enterprise page, click the Upload button, click Browse, select the APNS certificate file, and click Upload. The certificate type must be PEM.

Device Settings

Setting Description

Device Profile Select the default device profile to be applied to non-iOS devices when they register with the enterprise. If Automatic Profile Assignment is enabled, the default device profile is assigned only when the ownership of the device is unknown.

The AutomaticEnterpriseDefaultDeviceProfile, which can be changed, is created automatically for each enterprise. To add or change a profile, click View Device Profiles. You can change the profile assigned to a device after the device is registered (see “Modifying Device Settings” on page 68).

Automatic Profile Assignment

Automatic MDM Select the MDM profiles to be applied to corporate-owned and Profile Assignment employee-owned iOS and Android devices. These profiles are applied during automatic registration if the Device Identity Server specifies the device ownership. If a device’s ownership is unknown or Disable is selected for the corporate- or employee-owned profile, the default MDM profile is applied during registration.

When an MDM profile is selected for corporate- or employee-owned devices, note the following:

• The MDM profile cannot be changed on an individual iOS or Android device, unless the ownership is unknown.

• The iOS and Android devices are updated automatically if the ownership-based MDM profiles are changed or the ownership of an individual device is changed (see “Modifying Device Settings” on page 68). Updates occur during the next synchronization with the gateway.

Automatic Device Select the device profiles to be applied to corporate-owned and Profile Assignment employee-owned non-iOS devices. These profiles are applied during automatic registration if the Device Identity Server specifies the device ownership. If the ownership is unknown or Disable is selected for the corporate- or employee-owned profile, the default device profile is applied during registration.

When a device profile is selected for corporate- or employee-owned devices, note the following:

• The device profile cannot be changed on an individual device, unless the ownership is unknown.

• Non-iOS devices are updated automatically if the ownership-based device profiles are changed or the ownership of an individual device is changed (see “Modifying Device Settings” on page 68). Updates occur during the next synchronization with the gateway.

Related • Adding Administrator Accounts on page 17 Documentation • Managing Devices on page 67

Adding Administrator Accounts

The root administrator of the Pulse Mobile Security Gateway can create other administrator accounts at the root, or for a specific partner, or enterprise. A partner-level

account can access only that partner and one or more of its enterprises. An enterprise-level account can access only that enterprise.

The procedure for creating administrator accounts is the same at each level: create a role that has the administrator permissions, create a user account, and then assign the role and a user control list to the account.

NOTE: Do not change the name of the predefined root account ([email protected]). This login account is required to configure the Central Console and Malware Signature Server settings for malware signature updates.

Adding an Administrator Role

A role is a set of permissions that you can apply to a user account. For example, you can define a role that allows view permission on everything, but allows edit permission on only a few objects. For an administrator role, you typically allow all permissions.

To define an administrator role:

1. Select the root, a partner, or an enterprise. The role must be created at the same level as the user accounts where you want to apply the role.

NOTE: To allow administrators to add a partner, the root level must be selected.

2. Select the Roles tab, click Add Role.

3. Select the permissions View, Add, Edit, Delete, and Move for each object, such as users and devices. Click Select All to enable all permissions. The following table describes the effect of the View permission, which is required for all other permissions.

Object Description of View Permission

Partner Displays the list of available partners on the Home tab for users defined at the Root level.

Enterprise Displays the list of available enterprises on the partner Home tab for users defined at the root or partner level. For enterprise-level users, the Home tab displays the basic settings for the enterprise, such as enterprise name and license.

For root and partner users, the Edit permission displays an icon next to each enterprise that allows the basic settings to be changed. To allow all other enterprise settings to be viewed or changed, see the Enterprise Settings object.

Device Identity Displays the Device Identity Servers selection on the Settings tab at the Server root, partner, and enterprise levels (available only in roles created at the root level).

Object Description of View Permission

User Displays the Users tab at each level.

User Group Displays the User Groups selection on the Groups tab for each enterprise.

User Role Displays the Roles tab at each level. The Add permission allows roles to be defined, but the Assign User Role(s) permission is needed to assign a role to an account (see Step 4).

Device Displays the Devices tab for each enterprise.

Device Group Displays the Device Groups selection on the Groups tab for each enterprise.

Firewall Rule Displays the Firewall Rules selection on the Profiles tab at each level.

MDM Profile Displays the MDM Profiles selection on the Profiles tab for each enterprise.

Firewall Profile Displays each selection on the Profiles tab at each level. Antispam Rule Antispam Profile

Android Prohibited Displays the Prohibited Applications selection on the Profiles tab at each Application level.

Enterprise Settings Displays the Enterprise Settings selection for the device-related settings on the Settings tab in each Enterprise. The Edit permission also displays an icon next to each enterprise on the partner Home tab.

System Settings Displays the System Settings selection on the Settings tab at each level.

4. Scroll down, select Additional Permissions, and select the following permissions, as appropriate. Click Select All to select or clear all of the check boxes.

Additional Permission Description

Use Enterprise Allows users to log in to the management console. Console

Assign User Role(s) Displays an icon next to each role and user account on the Roles page and User Accounts page that allows roles to be assigned to each account.

Assign User Access Displays an icon next to each user account on the User Accounts page Control List that allows an access control list to be assigned to each account.

Send Commands Displays the Send Commands button on the Devices, Users, Device Groups, and User Groups pages.

Access Logs Displays the Logs tab at the root and enterprise levels, which provides access to the enterprise and Change History logs.

Additional Permission Description

Access Profiles Displays the Profiles tab, which provides access to the Antispam, Firewall, and MDM profiles.

View UUID Displays the UUID number in the general settings on the enterprise Home tab.

Generate UUID Displays the Generate UUID button in the general settings on the enterprise Home tab (View UUID also must be enabled).

View Command List Displays the Command List selection on the Help menu.

View Virus Definition Displays the Virus Definition List selection on the Help menu. List

Access Reports Displays the Reporting tab, which allows access to the following selected reports (the Summary report is always available):

• Virus Discovery Alerts

• Profile Update

• Registration

• Software Update

• Monitor & Control

• App Revocation

• App Revocation List

• GPS Tracking

• Command History

• Android Malware

5. Click Save to create the role and close the dialog box.

Adding a User Account

To create a user account:

1. Select the root, a partner, or an enterprise. A partner-level account can access only that partner and one or more of its enterprises. An enterprise-level account can access only that enterprise.

2. Click the Users tab.

3. Click Add User Account and specify the following information:

• First Name and Last Name

• User Name—Name used to log in to the gateway. The user name must be an e-mail address.

• Password and Confirm Password—The password for logging in to the gateway. Passwords must contain at least eight characters and cannot include the user name.

4. Click Save to create the account and close the dialog box.

Assigning a Role and User Control List to a User Account

After you create the role and the user account, you assign the role to the account and select a user control list to specify the objects that the user can access.

To assign a role and user control list to an account:

1. Select the root, a partner, or an enterprise.

2. Click the Users tab.

3. Click User Accounts.

4. In the list of user accounts, click the Assign User Roles icon in the last column of the table for the user account you want to update, select the check box for the role you want to assign to the user, and then click Save.

5. Click the Assign User Control List icon in the last column of the table for the user account, and select the check boxes for the objects that you want to allow the user to access. Selecting an object allows access to that object and all objects lower in the hierarchy. For example, if you select a partner, the user can access all enterprises for that partner.

6. Click Save to save the account.

Related • Managing Devices on page 67 Documentation

Registering Devices

To manage a mobile device with the Pulse Mobile Security Gateway, the Pulse client must be installed on the device, and then the device must be registered with an enterprise defined on the gateway. Devices can be registered manually, where the user enters an e-mail address, password, and license key, or automatically, where the device is registered through a device identity server (DIS) with little or no user input.

The following registration methods are supported:

• Manual Registration of iOS Devices on page 21

• Manual Registration of non-iOS Devices on page 22

• Automatic Registration on page 22

Manual Registration of iOS Devices

To register an iOS device manually, the administrator sends an e-mail to the device that includes the following:

• The download URL of the Pulse client in the iTunes App Store. The standard URL is:

http://itunes.apple.com/us/app/junoe-pulse/id381348546?mt=8

• The license key (enterprise code)

• A junospulse URL that specifies the Pulse Mobile Security Gateway. Users click the link and enter an e-mail address, password, and license key to register the device. The default URL is:

junospulse:///?method=mss&action=autoRegister&url==https:/mss.junospulse.juniper.net/ smobile/ident/registerDevice.htm

If you know the UDID or MAC address of the iOS device, you can generate the registration e-mail automatically by adding the device to the gateway (see “Adding Devices Manually” on page 67). The generated e-mail contains the license key, the Software Download URL specified for the enterprise, and the default junospulse URL. Alternatively, you can add the user account, rather than the device, and then include the account name and password in the registration e-mail.

NOTE: After an iOS device is registered (manually or automatically), the device MDM profile must be deleted before the device can be reregistered. Users who reinstall the Pulse client must manually delete the Juniper MDM.C profile under Settings > General-Profiles before they can reregister the device.

Manual Registration of non-iOS Devices

To register a non-iOS device manually, the administrator uses SMS or e-mail to send the Pulse client download URL and license key (enterprise code) to the user. If the device’s phone number is added manually to the gateway, the license key and Software Download URL specified for the enterprise are sent to the user automatically over SMS (see “Adding Devices Manually” on page 67). If you add the user account, rather than the device, you must include the account name and password in the registration e-mail or SMS message.

When a standard non-iOS Pulse client is started for the first time, it accesses a gateway hosted by Juniper Networks, and the user is prompted to enter an e-mail address, password, and license key to register the device. Branded clients can be configured to access a customer-specific gateway.

Note the following:

• Windows Mobile and Symbian devices must be registered manually.

• Non-iOS tablet devices that do not support SMS cannot receive the SMS message generated when the device is added manually to the gateway.

Automatic Registration

To register an Android, Blackberry, or iOS device automatically, the administrator configures a device identity server (DIS) to approve each device before it is registered. If a device is approved, it can be registered automatically or the user can be prompted for more information (see “Configuring Device Identity Servers” on page 23).

Configuring Device Identity Servers

Juniper Networks Professional Services can help you configure a device identity server to approve Android, iOS, and Blackberry devices before they are registered with the Pulse Mobile Security Gateway. When the Pulse client is started, it requests the identity server to approve the device. If the device is approved, the Pulse client can register the device with the gateway without requiring the user to enter a license key.

The registration process using a device identity server can be customized for each environment, but the general procedure is as follows:

1. After a user installs a standard Junos Pulse client, the administrator sends an e-mail or SMS message that specifies a link to a web page where the user can select a junospulse URL to access the device identity server. For rebranded Pulse clients, the URL of the identity server is predefined, and the identity server is accessed automatically.

NOTE: The Blackberry Pulse client must be rebranded to access a device identity server.

2. When the user confirms that they want to register, the Pulse client sends an approval request to the identity server that includes the device identifiers.

3. (Optional) The identity server can prompt for information to verify the user. If the device is approved, a Security Assertion Markup Language (SAML) assertion and the URL of the Pulse Mobile Security Gateway are returned to the client. The SAML assertion includes the license key needed to register the device, the device identifiers, the user’s account name, and (optionally) a password that allows the user to access the gateway dashboard.

If the device is not approved, the identity server returns an error. The error can display a customized message to be user.

4. If the identity server approves the device, the Pulse client sends the registration request and SAML assertion to the gateway.

5. The gateway registers the device and returns a profile of settings to the device.

To encrypt the SAML assertions, the device identity server must import a certificate from the Pulse Mobile Security Gateway, and to verify the SAML assertions, the gateway must import a certificate from the identity server. The following topics describe how to import the required certificates:

• Importing Certificates for Device Identity Servers on page 24

• Importing the Certificate for the Pulse Mobile Security Gateway on page 24

Importing Certificates for Device Identity Servers

The certificate for each Device Identity Server to be used for automatic registration must be imported to the Pulse Mobile Security Gateway. The public key in the certificate is needed to verify the signature in the SAML assertions sent by the identity server.

To import a certificate for a device identity server:

1. Obtain the certificate file for the device identity server in Distinguished Encoding Rules (DER) format.

2. Log in to the Pulse Mobile Security Gateway and select the root, a partner, or an enterprise. When a device identity server is defined for an enterprise, only that server can approve devices for registration with the enterprise.

3. Select the Settings tab.

4. Click Device Identity Servers, and then click Add Device Identity Server.

5. Specify the following server properties:

• Device Identity Server—Name of the identity server.

• SAML Issuer—Name of the issuer that the identity server specifies in the SAML assertions sent to approve a device.

• Signing Certificate—Click Browse and select the certificate file for the identity server.

7. Click Save to import the certificate.

Importing the Certificate for the Pulse Mobile Security Gateway

A private key and certificate for the Pulse Mobile Security Gateway must be created with a third-party tool (such as OpenSSL) and imported to the gateway. The private key and certificate must be saved in a PKCS12 file. The certificate file (without the private key) must also be imported in DER format to each device identity server defined on the gateway so that the public key in the certificate can be used to encrypt the SAML assertions.

NOTE: The Delete Device Identity Server role permission is required to import the certificate.

To import the certificate for the Pulse Mobile Security Gateway:

1. Generate a private key and certificate in a PKCS12 file.

2. Log in to the Pulse Mobile Security Gateway as a root administrator.

3. Select the Settings tab, click Device Identity Servers, and then click Decryption Key and Certificate.

4. Click Browse and select the PKCS12 file that contains the certificate and private key for the gateway.

5. Enter the password that was used to encrypt the private key.

6. Click Save to import the certificate.

7. Import the gateway certificate file (in DER format) to each identity server to be used for automatic registration.

Configuring GCM, SMS, and System Log Settings

The System Settings for the Pulse Mobile Security Gateway let you configure:

• Severity level of the messages written to the system log and optional links on the dashboard login page (root level only).

• SMS aggregation service—Routes commands from the gateway to non-iOS devices. You can select Clickatell or TextingForward as the default service, and configure the other service for specific countries (country-based routing). You can also configure TextingForward for specific carriers (carrier-based routing). The settings are evaluated in the following order:

a. Country-based routing

b. Carrier-based routing

c. Default routing

• Google Cloud Messaging (GCM) service—Replaces C2DM and provides an alternative to SMS for routing commands to Android devices (version 2.2 or later). If the GCM service is not configured, or does not acknowledge a command in 5 minutes, the routing method defaults to C2DM (if configured), and then to SMS. Database administrators can change the default wait time.

The SMS and GCM services can be configured at the root, partner, and enterprise levels. If SMS or GCM is not configured for an enterprise, the settings default to the partner level (if defined), and then to the root.

To configure the system settings:

1. Select the Settings tab for the root, a partner, or an enterprise, and click System Settings.

2. Specify the following information, and click Update.

Setting Description

System Logs (root level only)

Setting Description

Severity Severity level of the messages sent to the system log. The selected level includes all messages that have a higher severity. For example, selecting Info includes all messages except Debug.

• Fatal—Critical error messages about system failures.

• Error—Noncritical error messages, such as license expired.

• Warn—Informational messages about minor events that are not errors (the default).

• Info—Informational messages, such as command sent.

• Debug—All messages, plus detailed messages about internal processing.

Android

C2DM settings If C2DM is configured, you can continue to use it, but Google is not accepting new accounts and will not increase the quotas for existing accounts.

GCM Sender ID Use the instructions on the following website to obtain a Google API project GCM API Key ID (sender ID) and a Server API key:

http://developer.android.com/guide/google/gcm/gs.html

If you do not have a Google account you must create one. You do not need to register the project or specify an IP address for the Server API key.

Custom Features (root level only)

Dashboard More Info URL of an optional link displayed below Forgot your password? on the URL dashboard login page.

Dashboard More Info Text of the More Info URL link. URL Name

Dashboard Footer URL of an optional link displayed in the lower left corner of the dashboard URL login page.

Dashboard Footer Text of the Footer URL link. URL Name

Default Aggregator Settings

Enable default Select the check box to specify the default SMS aggregator settings to routing be used when the country and carrier settings (if any) do not apply.

Aggregator Service Select Clickatell or TextingForward.

Username The username passed to the SMS provider’s gateway API when sending commands. An SMS gateway is required to send commands to non-iOS devices. Commands for Android devices are sent over SMS if the GCM service is not configured or available.

Setting Description

Password The password passed to the SMS provider’s gateway API when sending commands.

API The API key assigned by the aggregator.

URL The base URL of the SMS aggregator's API. When you send a command, keyword=value pairs are appended to the URL for the user, password, API key, device number, and device command.

Custom Key/Value Additional keyword=value pairs, separated by commas, that can be Pairs appended to the base URL (optional).

Carrier Based Routing

Enable carrier based Select the check box to use the TextingForward service for specific mobile routing phone carriers. These settings are evaluated if the country based settings (if any) do not apply.

Username See the default aggregator settings. Password API URL Custom Key/Value Pairs

Carrier Enter the carrier code of each carrier for which you want to use the TextingForward service. For example:

carriercode=SPRINTUS, carriercode=VERIZONUS

For a complete list of the carrier codes, see: http://textingforward.com/TADpole_Outgoing_SMS_API_07202010.pdf

Country Based Routing

Enable country Select the check box to use the alternate aggregation service for one or based routing more countries. These settings are evaluated before the carrier based settings (if any). If the country and carrier based settings do not apply, the default aggregator settings are used.

Type Select the aggregation service (Clickatell or TextingForward).

Username See the default aggregator settings. Password API URL Custom Key/Value Pairs

Countries In the Available list, select the countries that you want to use the alternate service, and click Add. To remove a country from the selected list, select the country, and click Remove.

Related • Managing Devices on page 67 Documentation

Configuring Application APNS Certificates

An enterprise administrator can use device commands to send messages to the Pulse client on Android devices and the service registration (SR) application on iOS devices (see “Sending Device Commands” on page 73). The SR application installed on iOS devices must be repackaged with an updated provisioning profile, and an application APNS certificate must be obtained from Apple and uploaded to the gateway.

NOTE: The application APNS certificate is separate from the MDM APNS certificate needed to manage MDM profiles for iOS devices. For more information about application APNS certificates, see the App Distribution Guide in the iOS Developer Library.

• Obtaining an Application APNS Certificate on page 28

• Uploading Application APNS Certificates on page 30

Obtaining an Application APNS Certificate

To obtain an application APNS certificate:

1. Log in to an Apple Mac computer with OS X 10.6 or higher. If you do not have an Apple Developer account, go to http://developer.apple.com/programs/ios/ to obtain one.

2. Download the iOS 4.2 SDK from http://developer.apple.com/xcode/index.php. The SDK includes the Xcode development tool.

3. Log in to the iOS Provisioning Portal at https://developer.apple.com/ios/my/provision/index.action.

4. Create a distribution signing certificate for your developer account (see Creating Your Signing Certificates).

5. Create an App ID for your SR application:

a. Select Certificates, Identifiers & Profiles, select Identifiers > App IDs, and click the plus (+) button.

b. Enter a description of the application, and select the Push Notifications check box.

c. Under App ID Suffix, select Explicit App ID and enter a bundle ID in the recommended reverse-domain format, such as com.mycompany.myappname.

d. Click Continue, review the information, and click Submit.

6. Create an APNS certificate for the App ID:

a. Under Certificates, Identifiers & Profiles, select Identifiers > App IDs, and select the App ID created in Step 5.

b. Select Settings, and select the Push Notifications check box.

c. Under Production SSL Certificate, click Create Certificate.

NOTE: Development SSL certificates are not supported.

d. Follow the instructions to open the Keychain Access utility on the Mac, create a certificate signing request (CSR), and save the CSR file to the local disk.

e. Click Choose File, select the CSR file, and click Generate.

f. When the certificate is generated, click Continue, and then click Download to save the certificate file (with a .cer extension) to the local disk.

g. Double-click the certificate file to open Keychain Access, select the certificate and its private key, and then select File > Export to export the certificate and key as a password protected .p12 file. The exported certificate file must be uploaded to the gateway (see “Uploading Application APNS Certificates” on page 30).

7. Create a provisioning profile that includes the APNS certificate:

a. Under Certificates, Identifiers & Profiles, select Provisioning Profiles, select Distribution, and click the plus (+) button.

b. Select App Store as the distribution method, and click Continue.

c. Select the App ID created in Step 5, and click Continue.

d. Select the distribution signing certificate, and click Continue.

e. Click Download and save the provisioning profile to the local disk with a file extension of .mobileprovision.

f. Drag the profile file onto the Xcode or iTunes application icon, or move the profile file to ~/Library/MobileDevice/Provisioning Profiles. Create the directory if it does not exist.

g. Open the profile in a text editor to verify that the entitlements are correct. In the Entitlements dictionary, the string value of the aps-environment key should be production for a distribution provisioning profile.

8. Unzip the SR application zip file provided by Professional Services. Run the package.py script from the command line to sign and package the application into a format that can be submitted to the iTunes App Store. The script command must specify the full path to the provisioning profile and the full name of the signing certificate from the Keychain Access utility. For example:

package.py -p /Users/username/Desktop/ABC_Security.mobileprovision -c "iPhone Distribution: ABC Security" -o /Users/username/Desktop/output/

The entire certificate name from Keychain Access, including any alphanumeric codes that follow it, must be enclosed in quotation marks. The path to the provisioning profile and output location should be absolute paths.

Uploading Application APNS Certificates

For each enterprise where the SR application for iOS devices is repackaged to support the receipt of messages from the gateway, the application APNS certificate obtained from the iOS Provisioning Portal must be uploaded to the root level of the gateway (see “Obtaining an Application APNS Certificate” on page 28).

To upload and manage application APNS certificates:

1. Log in to the gateway as [email protected].

2. Select the Settings tab and click App APNS Certificates.

3. To upload a certificate:

a. Click Upload, click Browse, and select the certificate file.

b. Enter the password used to encrypt the private key, and click Upload.

4. If the prefix of the displayed App ID does not match the prefix generated by the iOS Provisioning Portal, select the App ID, correct the prefix, and click Save Changes.

Certificates are valid for one year. To replace an expired certificate, see Re-Creating Certificates in the App Distribution Guide:

Related • Sending Device Commands on page 73 Documentation

Updating Malware Signatures

The Juniper Networks Mobile Threat Center (MTC) regularly publishes a new set of malware signatures (virus definitions) to one or more Malware Signature Update servers. The new signatures can be downloaded to the Pulse Mobile Security Gateway, and then downloaded to the managed devices in all enterprises when the devices check in with the gateway (non-iOS devices only).

When a new set of signatures is published, the Juniper Networks Control Center can notify each gateway to download the new signatures from the appropriate server, or the gateway can obtain the signatures by polling the Signature Update server.

The gateway uploads reports of the detected viruses to the Control Center for trend analysis by the Mobile Threat Center. The devices in the virus reports remain anonymous. Customers who install their own gateway can elect to poll the Signature Update server without connecting to the Control Center.

To configure the gateway for automatic signature updates:

1. Log in to the gateway as [email protected].

2. Import the gateway certificate. You may have to create a Certificate Signing Request to obtain the certificate.

3. Import the certificates for the Control Center and the Malware Signature Update server.

4. Configure the server settings for the Control Center and the Malware Signature Update server.

Customer Support or Professional Services can provide the settings and certificates for the Control Center and the Malware Signature Update server.

• Creating Certificates for the Pulse Mobile Security Gateway on page 31

• Importing Certificates for the Control Center and Signature Update Server on page 32

• Configuring the Control Center Settings on page 32

• Configuring the Signature Update Server on page 33

Creating Certificates for the Pulse Mobile Security Gateway

To communicate with the Control Center, a certificate must be created for the Pulse Mobile Security Gateway and imported to the gateway. Connecting to the Control Center is optional for customers who install the gateway in their own network.

To create and maintain certificates for the gateway:

1. Log in to the gateway as [email protected].

2. Select the Settings tab and click MSG Certificates.

3. To upload an existing certificate, click Upload, specify the following, and click Upload again:

• If the certificate and private key are in one file, click Browse to select the file, and enter the password used to encrypt the private key. The file must be in PKCS12 or PEM format (file extension .pks, .pkcs12, .pfx, or .pem).

• If the certificate and private key are in separate files, click Browse to select each file, and enter the password used to encrypt the private key. The file must be in DER or PEM format (file extension .der, or .pem).

4. To obtain a new certificate:

a. Click Create under Certificate Signing Requests, and specify the following information:

• Common Name—Name associated with your company.

• Organizational Unit—Name of your department.

• Organization Name—Name of your company/organization.

• Locality—Name of the city where your organization is located.

• State—Full name of your state or province.

• Country—Two-letter code that identifies your country.

• Key Length—Select the length of the key (1024 or 2048 bits).

b. Click Create to add the request to the list of signing requests.

c. Click the new request and follow the instructions to submit the request to a Certificate Authority (CA).

d. When you receive the certificate, select the request again, click Browse, select the certificate file, and click Upload. The signing request is deleted, and the certificate is added to the list of gateway certificates.

5. To renew a certificate, select the check box next to the certificate, and click Renew. Click Browse in the Renew Certificate window to select the certificate file, and click Renew.

6. To download a certificate file, click the certificate, and click Download.

The CA certificate used to sign the gateway certificate must be imported to the Control Center by Juniper Networks personnel.

Importing Certificates for the Control Center and Signature Update Server

To import the certificates for the Control Center and Signature Update Server:

1. Log in to the gateway as [email protected].

2. Select the Settings tab and click Trusted CAs.

3. Click Upload, select the certificate file for the Control Center, and click Upload. The certificate is added to the list of Trusted CA certificates. Repeat this step to import the certificate for the Signature Update server. The Control Center certificate is optional for customers who install the gateway in their own network.

Configuring the Control Center Settings

When a new set of malware signatures is published to a Signature Update Server, the Control Center administrator notifies the gateway to download the new signatures from the appropriate server. The gateway also polls the Signature Update Server periodically and uploads virus reports to the Control Center.

To configure the Control Center or view its connection status:

1. Log in to the gateway as [email protected].

2. Select the Settings tab and click MSG Control Center Settings.

3. If the Control Center is configured, a colored dot next to the Control Center name indicates whether the Control Center is connected to the gateway (green), disconnected (red), or not enabled (grey). The gateway name used by the Control Center and the Distinguished Name of the gateway certificate are also displayed.

4. Click Refresh Status to update the connection status.

5. To configure the Control Center, specify the following information, and click Save:

Setting Description

MSG Control Center Specify the Control Center URL as https://mcc.junospulse.juniper.net. URL

Setting Description

MSG Certificate Select the gateway certificate used to communicate with the Control Center. For the selected gateway certificate, a certificate for the CA that signed the gateway certificate must be imported to the Control Center. To create a gateway certificate, see “Creating Certificates for the Pulse Mobile Security Gateway” on page 31.

Enabled Select the check box to enable the gateway to connect to the Control Center. If this check box is cleared, the URL for the Signature Update Server must be configured manually (see “Configuring the Signature Update Server” on page 33).

Configuring the Signature Update Server

To download malware signatures from a Signature Update Server, a server account name and password must be specified on the gateway. The gateway can download new malware signatures when it receives a notification from the Control Center, or by polling the Signature Update Server on a selected schedule. If the Control Center connection is disabled, the URL of the Signature Update Server must be configured manually.

Customer Support or Professional Services can provide the URL and account information for the Signature Update Server.

To configure the Signature Update Server or view the signature status:

1. Log in to the gateway as [email protected].

2. Select the Settings tab and click Malware Signature Settings.

3. The status section specifies the version number of the current signature set installed on the gateway, and the date and time of the last signature update. The Updated By field specifies how the last signature update was initiated:

• MSG Control Center—Notification from the Control Center.

• MSG (Scheduled)—Scheduled poll of the Signature Update Server.

• MSG (Update Now)—User clicked Save & Update Now on this page.

Click Refresh Status to update the signature status.

4. To configure the Signature Update Server, specify the following information:

Setting Description

Signature Update If the Control Center connection is disabled, specify the URL of the Server URL Signature Update Server.

User Name Specify a user name and password for the Signature Update Server. Password

Setting Description

Update Schedule Select how often the gateway polls the Signature Update Server. If you select Never, the gateway polls the server only when prompted by the Control Center.

5. Click Save or click Save & Update Now to save your changes and poll the server for new signatures.

Related • Editing the Default Enterprise Policy Settings on page 13 Documentation • Managing Devices on page 67

This chapter is intended primarily for enterprise administrators who define the profiles and policies that apply to the devices in a selected enterprise. These profiles specify various platform-specific features that may or may not be implemented for each enterprise.

Customer service personnel do not typically perform the tasks described in this chapter.

• Defining Prohibited Applications on page 35

• Managing MDM Profiles on page 36

• Managing Device Profiles on page 49

• Managing Firewall Rules and Profiles on page 57

• Managing Antispam Rules and Profiles on page 60

Defining Prohibited Applications

The Pulse Mobile Security Gateway provides signatures that Android devices use to detect malware and suspicious applications. In addition to malware signatures, which are updated periodically, a list of prohibited applications that should not be installed on Android devices can be defined at the root, partner, and enterprise levels. The list of prohibited applications applied to the Android devices in an enterprise is a combination of the applications defined at the root, the associated partner, and the enterprise.

NOTE: If prohibited applications are defined, applications are scanned during installation even if the user disables scanning on the device.

Users can view and remove the malware, suspicious, and prohibited applications discovered on their device. The gateway administrator can view the same information for all devices on the Android Malware report (see “Viewing Reports” on page 79).

To define the prohibited applications:

1. Select the Profiles tab for the root, a partner, or an enterprise, and click Prohibited Applications.

2. To add an application to the list, click Add Prohibited Application, provide the following information, and click Save:

• Android Package Name—The package name of the application, such as com.rovio.angrybirds (up to 100 characters).

• Description—The common name of the application (up to 50 characters).

• Custom Warning Message—Optional message displayed to the user when the application is detected, such as Angry Birds is not permitted on your device.

3. To find all applications that include some specific text in the package name, description, or warning message, enter the text in the Search box.

4. To change an application, select the application, make the changes, and click Save. To remove an application from the list, select the check box next to the application, and click Delete.

Related • Managing MDM Profiles on page 36 Documentation • Managing Device Profiles on page 49

• Managing Devices on page 67

Managing MDM Profiles

The following topics describe how to manage MDM profiles:

• Adding and Editing MDM Profiles on page 36

• Importing and Exporting MDM Profiles on page 47

• Setting the Default MDM Profile on page 48

• Deleting MDM Profiles on page 49

Adding and Editing MDM Profiles

The Mobile Device Management (MDM) profile defines various settings for iOS and Android devices, such as user restrictions, password requirements, and the VPN and Wi-Fi networks that users can access. When a device registers with an enterprise, the AutomaticDefault profile is applied to iOS devices, and the AutomaticAndroidDefault profile is applied to Android devices. You can edit the default profiles, select other profiles as the defaults, or use the same default profile for both device types.

NOTE: Profiles created with the Apple IPCU utility can be applied only to iOS devices (see “Importing and Exporting MDM Profiles” on page 47.

New MDM profiles can be applied to specific devices or groups of devices after they are registered (see “Modifying Device Settings” on page 68). If you change a profile, any device that has the profile is updated by the next synchronization with the gateway or when the next Update Profile command is sent to the device.

To add or edit MDM profiles:

1. Select the Profiles tab for an enterprise, and then click MDM Profiles.

2. Click Add Profile to add a new profile or select an existing profile that you want to change. Selecting the check box next to a profile and clicking Copy Profile adds a copy of the profile to the end of the profile list named copy-of-, which you can modify as needed. If a profile is copied multiple times, the copied names start with copy2-of-, copy3-of-, and so on.

NOTE: Changing a profile that is used by a device requires both the Edit Profile and Edit Device user privileges.

3. Specify the settings in each of the following sections of the profile by clicking the section name in the left frame. To save the changes In each section, click Save before selecting another section.

• General Settings on page 37

• Exchange ActiveSync Settings on page 37

• Security & Control on page 38

• VPN Settings on page 41

• SCEP Authentication Settings (iOS Devices Only) on page 43

• Wi-Fi Connectivity Settings on page 44

• Tracking (iOS Devices) on page 46

General Settings

The general settings in an MDM profile specify the profile name and a description of the profile.

Setting Description

Name Specify the name of the MDM profile (up to 50 characters). The name is the only required information for a new profile, and it must be unique.

Description A description of the profile’s purpose (up to 300 characters).

Exchange ActiveSync Settings

The Exchange settings in an MDM profile can synchronize the e-mail account on an iOS or Android Samsung device with the e-mail account on a Microsoft Exchange server. The synchronized information includes the inbox, outbox, draft folder, and list of contacts.

Setting Description

Require exchange Select the check box to configure a Microsoft Exchange e-mail account setting on device on the device. The registered user name on the Pulse Mobile Security Gateway must match the name of the Exchange e-mail account. For example, if the user account on the gateway is [email protected], the user is prompted for a password for the Exchange account [email protected]. Clearing this check box excludes Exchange settings from the profile.

Setting Description

Domain Specify the domain name of the Microsoft Exchange account (optional). The specified domain and a backslash (\) are placed before the Exchange account name. For example, if the domain is JNPR, the account name becomes JNPR\[email protected].

Exchange Specify the name or IP address of the Microsoft Exchange server used by ActiveSync Host the device, such as juniper.com. The server name cannot include spaces.

Allow Move Select the check box to allow messages sent or received by this account (iOS 5 or later) to be moved to a different mail account. Also allows using another account to reply to or forward a message from this account.

Use Only in Mail Select the check box to allow only the Mail application to send messages (iOS 5 or later) from this account. Messages created by other applications, such as Photos or Safari, cannot be sent from this account.

NOTE: If this option is enabled, logs cannot be sent to the gateway from iOS 5 (or later) devices.

Use SSL Select the check box to use SSL to secure the data sent from the Microsoft Exchange server to the iOS device. If you clear this check box, the data is not encrypted.

Click Save to save the settings.

Security & Control

The Security & Control settings in an MDM profile specify the password requirements and other user restrictions.

Passcode

Click the Passcode tab to specify the following settings:

Setting Description

Require passcode on Select the check box to require the user to create a passcode before the device profile can be installed. Users must enter the passcode to unlock or power on the device. The passcode also is used to encrypt application data.

Require encryption Select the check box to prompt the user to enable encryption of application on device (Android data on Android devices. If a passcode is not defined on the device, devices) PasswordNotSufficient is written to the enterprise log, and the user is not prompted to enable encryption.

Auto-lock Select the time period that a device can be inactive before it is locked. For iOS devices, if the value exceeds 5 minutes, the device is set to the 5-minute maximum. To unlock a locked device, the user must enter the passcode. Select Never to disable the auto-lock feature.

Setting Description

Grace period for Select the maximum amount of time that a device can be locked without device lock (iOS requiring a passcode to unlock it. The default (Immediately) always requires devices) a passcode to unlock the device. Select None to allow the user to select the grace period.

Maximum number of Select the maximum number of consecutive invalid passcode entries failed attempts allowed before all data on the device is erased. The default (none) indicates the device’s data is never erased due to invalid passcode entries.

Allow simple value Select the check box to allow a passcode to contain repeated or sequential characters.

Require Select the check box to require a passcode to contain at least one letter alphanumeric value or number.

Minimum passcode Select the minimum number of characters (1 to 16) required in a passcode. length The default (none) indicates a passcode has no minimum length.

Minimum number of Select the minimum number of non-alphanumeric characters (1 to 4) complex characters required in a passcode, such as $ and &. The default (none) indicates that non-alphanumeric characters are not required.

Passcode history Specify the number of subsequent unique passcodes required (1 to 50) before a passcode can be repeated. A zero indicates that a passcode can be repeated without restrictions (the default).

Maximum passcode Enter the maximum number of days (1 to 730) a passcode can be used age before the user is prompted to change it. The default (zero) indicates the same passcode can be used indefinitely.

Restrictions

Click the Restrictions tab to specify the following settings:

Setting Description

Require restrictions Indicates whether the selected restrictions are applied to the device. on device Clearing this check box disables the selected restrictions, if any.

Android Devices

Allow use of camera Indicates whether the camera is enabled on Android devices. When this (4.0 or later devices) option is off, the Camera icon is removed from the Home screen.

Allow use of Indicates whether the Bluetooth protocol is enabled. bluetooth (Samsung devices only)

Allow use of WiFi Indicates whether wireless network access is enabled. (Samsung devices only)

Setting Description

iOS Devices

Allow installing apps Indicates whether users can install applications. Clearing this check box removes the App Store icon from the Home screen, and prevents users from installing or updating applications from the App Store or iTunes.

Allow use of camera Indicates whether the camera is enabled. When this option is off, the Camera icon is removed from the Home screen, and users cannot take photographs or videos, or use FaceTime. If the camera is enabled, you can select Allow FaceTime to enable video phone calls.

Allow screen capture Indicates whether users can save a screenshot of the display.

Allow automatic Indicates whether push operations occur automatically outside the device’s sync while roaming home area. Clearing the check box can avoid roaming charges while still allowing users to obtain updates by manually accessing their iTunes or other accounts.

Allow Siri Indicates whether Siri is enabled, which allows voice commands and dictation.

Allow Siri while If Siri is allowed, indicates whether the device responds to voice commands device locked when the device is locked.

Allow voice dialing Indicates whether users can dial phone numbers using voice commands.

Allow In App Indicates whether users can make purchases on line. purchase

Ratings regions Select the local country to determine the rating scheme used for movies TV shows, and applications.

Allowed content Select the maximum ratings for movies, TV shows, and applications ratings allowed on the device. You can also allow or disallow all movies, TV shows, and applications.

Allow use of Indicates whether users can access YouTube on the device. Clearing this YouTube check box disables YouTube and removes the YouTube icon from the Home screen.

Allow use of the Indicates whether users can access the iTunes Store on the device. Clearing iTunes Music Store this check box disables iTunes, removes the iTunes icon from the Home screen, and prevents users from previewing, purchasing, or downloading content.

Setting Description

Allow use of Safari Indicates whether users can access the Safari web browser on the device. Clearing this check box disables the Safari application, removes the Safari icon from the Home screen, and also prevents users from opening web clips. If the browser is enabled, you can specify the following options:

• Enable auto-fill—Indicates whether web forms can be filled in automatically based on previous entries.

• Force fraud warning—Indicates whether a warning is displayed when users visit websites identified as fraudulent or compromised.

• Enable JavaScript—Indicates whether JavaScript is executed.

• Enable plugins—Indicates whether plugin modules are allowed.

• Block popups—Indicates whether popup windows are displayed.

• Accept cookies—Select when the browser accepts cookies (always, never, or only from visited websites).

Allow explicit music Indicates whether explicit music or video content purchased from the & podcasts iTunes Store is hidden on the device.

Allow backup Indicates whether personal data is backed up automatically on iCloud. (iOS 5 or later)

Allow document Indicates whether iWorks documents are backed up automatically on sync iCloud. (iOS 5 or later)

Allow Photo Stream Indicates whether photos and screenshots taken with the device are (iOS 5 or later) uploaded automatically to iCloud for distribution to the user’s other devices.

CAUTION: If this option is disabled, existing Photo Stream photos are deleted from the device, and photos on the Camera Roll cannot be sent to Photo Stream.

Force encrypted Indicates whether backups performed in iTunes are always encrypted on backups the user’s computer. If this option is disabled, users can choose whether to encrypt backups. However, iTunes requires encrypted backups if any profile is encrypted, and profiles created by the iPhone Configuration Utility are always encrypted.

VPN Settings

The VPN settings in an MDM profile specify one or more VPN rules. Each rule identifies a VPN server that the device can connect to for secure access to a private network. In this release, the VPN server must be a Juniper Networks SA Series device.

To add or change the VPN settings:

1. To add the first rule to the Current VPN list, specify the VPN settings and click Save. After one or more rules are defined, click Add to add a new rule or select an existing rule that you want to change, copy, or delete. Clicking Copy inserts Copy-of- before the Connection Name.

2. Specify the following VPN settings for each rule, and click Save. Saving a new or copied rule adds its Connection Name to the Current VPN list.

Setting Description

Connection Specify the name of the VPN policy (up to 50 characters). The name is Name displayed on the device and must be unique.

Connection Select the type of VPN. In this release, the VPN server must be a Juniper Type Networks SA Series device, and the connection type must be Juniper SSL.

Server Specify the host name (up to 50 characters) or the IP address of the VPN server.

Realm Specify the name of an authentication realm defined on the SA Series device (up to 50 characters). The realm defines the server used to authenticate the device.

Role Specify the name of the user role defined on the SA Series device (up to 50 characters). The user role defines the network resources the device can access.

User Select the method used to authenticate users on the VPN server: Authentication • Password—Enter a valid username and password (up to 50 characters each) for an account on the VPN server.

• Certificate—Select a certificate from the Identity Certificate list and specify a valid username. To add certificates to the list, see “SCEP Authentication Settings (iOS Devices Only)” on page 43.

Enable VPN On If you select Certificate for the authentication method, you can select the check Demand (iOS box to enable a VPN automatically when the user accesses specific hosts or devices only) domains. To specify the first host or domain:

• Match Domain or Host—Enter a hostname or a partial domain name (up to 100 characters). For example, if you enter example.com, a match occurs when the user accesses any domain that ends with example.com, such as www.test-example.com.

• On Demand Action—When a match occurs on the specified host or domain, select whether a VPN is always established, never established, or only if the DNS look-up fails (Establish If Needed). Selecting Never Establish does not prevent an existing VPN from being used.

To add another domain, click the + button. To remove a domain, select the check box next to the domain and click the - button.

SCEP Authentication Settings (iOS Devices Only)

The Authentication settings in an MDM profile specify one or more policies that allow the device to obtain certificates from a certification authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). Each policy identifies a SCEP server that an iOS device can access to obtain certificates.

To add or change the SCEP settings:

1. To add the first rule to the Current SCEP Rule list, specify the SCEP settings and click Save. After one or more rules are defined, click Add to add a new rule or select an existing rule that you want to change, copy, or delete. Clicking Copy inserts Copy-of- before the CA Name.

2. Specify the following settings for each rule, and click Save. Saving a new or copied rule adds its name to the Current SCEP Rule list.

Setting Description

URL Specify the URL of the SCEP server (up to 100 characters).

Name Specify the name of a certificate authority instance (up to 50 characters). This name can be used to distinguish different certificates obtained from the same SCEP server.

Subject Select one of the following:

• User Name—The user’s registered e-mail address is used as the certificate name.

• UDID—The device UDID serves as the certificate name (not supported on iOS 7 or later devices).

• Wi-Fi MAC Address—The MAC address of the device’s WiFi adapter serves as the certificate name (not supported on iOS 7 or later devices).

• JDID—The Juniper device ID serves as the certificate name (supported by iOS 7 or later devices that have Junos Pulse version 4.2R9 or later).

• Define in the next field—Enter the subject of the certificate in X.500 format, with object IDs and values separated by slashes (up to 100 characters). For example: /C=US/O=Juniper Networks/CN=foo/1.2.5.3=bar

Subject If the CA requires an alternative subject name, select the name type: RFC-822 Alternative name (an e-mail address), DNS server name, or Uniform Resource Identifier. Name Type

Setting Description

Subject Select one of the following for the alternative name: Alternative Name Value • User Name—The user’s registered e-mail address is used as the alternative name.

• UDID—The device UDID serves as the alternative name (can be used with the RFC 822 name type). Not supported on iOS 7 or later devices.

• Wi-Fi MAC Address—The MAC address of the device’s WiFi adapter serves as the alternative name (not supported on iOS 7 or later devices).

• JDID—The Juniper device ID serves as the alternative name (supported by iOS 7 or later devices that have Junos Pulse version 4.2R9 or later).

• Define in the next field—Enter an alternative subject name (up to 100 characters).

NT Principal Specify an NT Principal name for use in the certificate request, if required by Name the CA (up to 100 characters).

Challenge Specify the password required by the SCEP server, if any (up to 50 characters).

Key Size Select the number of bits in the key (1024 or 2048), and select the following options to indicate how the key is used:

• Use as digital signature—Indicates the key is used for the digital signature.

• Use for key encipherment—Indicates the key is used for key encryption.

Fingerprint If the CA uses HTTP, rather than HTTPS, enter the fingerprint of the CA’s certificate (up to 100 characters), which the device uses to confirm the authenticity of the CA’s response during the enrollment process. You can enter a SHA1 or MD5 fingerprint, or create an SHA1 fingerprint from a certificate by clicking Browse and selecting the certificate file. The certificate must be in PEM format, with a file extension of .pem, .crt, .cer, or .key.

Wi-Fi Connectivity Settings

The Connectivity settings in an MDM profile specify one or more Wi-Fi rules. Each rule specifies a wireless network that the iOS device can access.

To define the Wi-Fi rules:

1. To add the first rule to the Current Wi-Fi Rule list, specify the Wi-Fi settings and click Save. After one or more rules are defined, click Add to add a new rule or select an existing rule that you want to change, copy, or delete. Clicking Copy inserts Copy-of- before the current Service Set Identifier (wireless ID).

2. Specify the following settings for each rule, and click Save. Saving a new or copied rule adds its wireless ID to the Current Wi-Fi rule list.

Setting Description

Server Set Specify the ID of the wireless network (up to 32 characters). Identifier

Setting Description

Security Type Select the type of authentication used by the network, and specify the password or enterprise settings, as required:

• None—No authentication required.

• WEP—Wired Equivalent Privacy used for a non-enterprise network. Enter the password in the displayed text box.

• WPA/WPA2—Wi-Fi Protected Access used for a non-enterprise network. Enter the password in the displayed text box.

• Any (Personal)—WEP, WPA, or WPA2 used for a non-enterprise network. Enter the password in the displayed text box.

• WEP Enterprise—WEP used for an enterprise network. Enterprise networks use the IEEE 802.1X authentication methods. Specify the enterprise settings in Step 3.

• WPA/WPA2 Enterprise—WPA or WPA2 used for an enterprise network. Specify the enterprise settings in Step 3.

• Any (Enterprise)—WEP, WPA, or WPA2 used for an enterprise network. Specify the enterprise settings in Step 3.

Hidden Network Select the check box if the network does not broadcast its identity.

3. If you select an enterprise Security Type, click the Protocols and Authentication tabs in the iOS and Android sections to specify the enterprise settings for each device type:

Protocols

Setting Description

Accepted EAP Select the Extensible Authentication Protocol (EAP) protocols supported by Types the network’s RADIUS authentication server.

Inner If you select the TTLS protocol (or PEAP for Android), select the protocol used Authentication to authenticate the username and password. iOS devices support PAP, CHAP, MSCHAP, or MSCHAPv2; Android devices support PAP, MSCHAP, or MSCHAPv2.

EAP-Fast Optionally, for iOS devices, select the following check boxes to allow the authentication server to use a Protected Access Credential (PAC) to establish a tunnel between the server and the iOS device:

• Use PAC—Enables the use of a PAC.

• Provision PAC—Allows the PAC to be applied to the iOS device (required if Use PAC is enabled)

• Provision PAC Anonymously—Allows the server to establish the tunnel without a server certificate (no server authentication).

Authentication

Setting Description

iOS Settings

Setting Description

Username To use a username and password to authenticate the user, select one of the following options:

• User Name—The user must enter a valid username for an account on the authentication server.

• UDID—The device UDID serves as the username (not supported on iOS 7 or later devices).

• Wi-Fi Address—The device MAC address serves as the username (not supported on iOS 7 or later devices).

• JDID—The Juniper device ID serves as the username (supported by iOS 7 or later devices that have Junos Pulse version 4.2R9 or later).

• Other—Enter a valid username (up to 50 characters).

Use Select the check box to prompt the user to enter the password for each Per-Connection connection. Password

Password If User Per-Connection Password is not selected, you can enter a password (up to 80 characters) for the specified username.

Identity To use a certificate to authenticate the user, select a certificate from the Certificate Identity Certificate list. To add certificates to the list, see “SCEP Authentication Settings (iOS Devices Only)” on page 43.

Outer Identity When the TTLS, PEAP, or EAP-FAST protocol is used, you can specify an alternate username to be used outside the encrypted tunnel, such as anonymous (up to 50 characters). This increases security by concealing the user’s identity in unencrypted packets.

Android Settings

Username Enter a valid username (up to 50 characters) for an account on the authentication server.

Password Enter a password (up to 80 characters) for the specified username.

Tracking (iOS Devices)

For iPhones and iPads with 3G support (iOS 4.2 and later), you can specify how often a device reports its GPS coordinates to the gateway. To change or disable GPS updates, select the appropriate option from the GPS Update Period list and click Save.

The last reported location of a device can be viewed on the GPS Tracking Report (see “Tracking Devices with GPS” on page 84).

NOTE: If GPS updates are disabled and then re-enabled, it may take up to 48 hours for the GPS updates to resume.

Importing and Exporting MDM Profiles

Configuration profiles created with the Apple iPhone Configuration Utility (IPCU) can be imported to the Mobile Security gateway and used as MDM profiles for iOS devices. The IPCU provides support for iOS configuration options that are not available in profiles created with the gateway. You can download the IPCU from:

http://www.apple.com/support/iphone/enterprise/

Note the following:

• Profiles can be exported from the gateway and modified by the IPCU.

• Profiles must be exported from the IPCU before they can be imported to the gateway.

• The following variables can be used in the IPCU. They will be replaced with the appropriate values when the profile is applied to a device:

• msgusername—Can be used for the registered username in the following settings:

• In the User field of the Exchange ActiveSync settings

• As the CN= value in the Subject field of the SCEP settings

• In the Subject Alternative Name Value field of the SCEP settings

• msguserjdid—Can be used for the Juniper device ID in the following settings (only for iOS 7 or later devices that have Junos Pulse version 4.2R9 or later):

• In the User field of the Exchange ActiveSync settings

• As the CN= value in the Subject field of the SCEP settings

• In the Subject Alternative Name Value field of the SCEP settings

• msguserudid & msgusermac—Can be used for the device UDID or the MAC address of the device’s WiFi adapter in the following settings (not supported by iOS 7 or later devices):

• As the CN= value in the Subject field of the SCEP settings

• In the Subject Alternative Name Value field of the SCEP settings

• Imported profiles cannot be applied to Android devices. The Type column on the MDM Profiles page indicates whether the profile is imported or created on the gateway (Manual).

• The XML of imported profiles can be viewed on the gateway, but not changed. Imported profiles must be changed by the IPCU, and then re-imported to the gateway.

To create and update MDM profiles using the IPCU:

1. Select the Profiles tab for an enterprise, and click MDM profiles.

2. To export a profile for editing with the IPCU:

a. Select Export iOS profile next to the profile that you want to edit.

b. Click Open to open the profile in the IPCU (if the IPCU is installed) or click Save and specify the file name and location. By default, profiles are saved with an ios_ prefix and a .mobilconfig extension.

3. To import a profile that has been created or edited with the IPCU:

• In the IPCU, select the profile, click Export, select None from the Security menu, click Export again, and specify the file name and location.

• On the MDM Profiles page, do one of the following

• To import a new profile, click Import iOS Configuration File, and click Browse to select the profile exported from the IPCU. An error occurs if the new profile name matches the name of an existing profile.

• To update an existing imported profile, select the profile to be updated, click Update iOS Configuration File, and click Browse to select the profile exported from the IPCU. The name and content of the imported profile replaces the selected profile.

NOTE: When an imported profile is updated, any devices that use the profile are updated during the next synchronization with the gateway.

Setting the Default MDM Profile

A default MDM profile is applied to Android and iOS devices when they register with an enterprise. By default, the AutomaticDefault profile is applied to iOS devices, and the AutomaticAndroidDefault profile is applied to Android devices. You can edit these profiles or select other profiles as the defaults. You can also use the same default profile for both device types. To change the default profiles, you must have the Edit Enterprise Settings user privilege.

To change the default profiles from the Enterprise Settings page, select the Settings tab for the enterprise, click MDM Settings, and select the iOS and Android default profiles.

To change the default MDM profiles from the MDM Profiles page:

1. Select the Profiles tab for an enterprise, and click MDM Profiles.

2. Select the check box next to the profile that you want to use as the default iOS or Android MDM profile for the enterprise.

3. Click Set Default MDM Profile, and select Set Default iOS Profile or Set Default Android Profile.

In the Default column of the table, iOS or Android (or both) is shown next to the default profile. Changing the default profile affects only devices that register after the default profile is changed.

Deleting MDM Profiles

Deleting an MDM profile removes it from the profiles list. If a deleted profile is used by one or more devices, you are prompted to confirm the deletion. Android and iOS devices in the enterprise that have a deleted profile are sent an InstallProfile command to install the current default profile.

To delete the default profile, you must first select another MDM profile as the default. However, the AutomaticDefault and AutomaticAndroidDefault profiles that are created automatically for each enterprise cannot can be deleted.

To delete one or more MDM profiles:

1. Select the Profiles tab for an enterprise, and click MDM Profiles.

2. Select the check box next to each profile you want to delete, and click Delete.

Related • Managing Device Profiles on page 49 Documentation • Managing Devices on page 67

Managing Device Profiles

The following topics describe how to manage device profiles:

• Adding and Editing Device Profiles on page 49

• Setting the Default Device Profile on page 56

• Deleting Device Profiles on page 57

Adding and Editing Device Profiles

The device profile defines the user interface, antivirus, monitor and control, firewall, antispam, and SIM-change settings. When a non-iOS device registers with an enterprise, the AutomaticEnterpriseDefaultDeviceProfile profile is applied to the device. You can edit the default profile, or create another profile to be used as the default.

New device profiles can be applied to specific devices or groups of devices after they are registered (see “Modifying Device Settings” on page 68). If you change a profile, any device that has the profile is updated by the next synchronization with the gateway or when the next Update Profile command is sent to the device.

To add or edit device profiles:

1. Select the Profiles tab for an enterprise, and click Device Profiles.

2. Click Create Profile to add a new profile or select an existing profile that you want to change. Selecting the check box next to a profile and clicking Copy Profile adds a copy of the profile named copy-of-, which you can modify as needed.

NOTE: Changing a profile that is used by a device requires both the Edit Profile and Edit Device user privileges.

• General Settings on page 50

• UI Mode Settings on page 50

• Anti Virus Settings on page 53

• Monitor and Control Settings on page 54

• Firewall Settings on page 55

• Antispam Settings on page 55

• Sim Change Settings on page 56

General Settings

The general settings in a device profile specify the profile name, description, and how often the device is synchronized with the gateway. For a new profile, the general settings must be defined first.

Table 2: General Settings

Setting Description

Name Specify the name of the profile (up to 50 characters). The name must be unique.

Description Enter a description of the profile’s purpose (up to 300 characters).

Update Schedule Select how often the settings on the gateway, including virus definitions, are synchronized with the settings on non-iOS devices. Select Never to disable automatic synchronization with the gateway. If users change the update schedule on the device, it is reset during the next synchronization.

For iOS devices, the update schedule is determined by the check-in period in the enterprise settings (see “Editing the Default Enterprise Policy Settings” on page 13).

UI Mode Settings

The UI mode settings specify the UI interface for Android and Blackberry devices, and the active and inactive buttons for non-iOS devices.

Table 3: UI Mode Settings

Setting Description

UI Mode Indicates the Junos Pulse features available to users of Android and Blackberry devices. Select one of the following:

• Full UI—Includes all features of the Junos Pulse client.

• Minimal UI—Includes only a Splash screen, license screen, and a Home screen with an About button. Detected viruses, malware, and prohibited applications are deleted automatically, and suspicious applications are displayed to the user so they can be deleted or allowed. If a device does not support automatic deletion of applications, the Scan Results page is displayed periodically until the offending applications are deleted manually.

• Security UI—Includes all Junos Pulse features, except the ability to define VPN connections to private networks. Users can scan for viruses and malware, view scan results, back up data, and so on.

Table 3: UI Mode Settings (continued)

Setting Description

UI Button Mode For Android and Blackberry devices, if the UI Mode is Full UI or Security UI, (service bundle) the following features can be active or inactive and visible or hidden on the device and dashboard. If a feature is inactive, its associated device commands are hidden (see “Sending Device Commands” on page 73).

Active features can be hidden to simplify the user interface. Inactive/Visible features appear dimmed so that users can select them to purchase the feature. Professional Services can customize the URL for buttons or text that appear dimmed and assist you with enabling features programmatically through the gateway API.

For Windows Mobile and Symbian devices, Active and Inactive settings affect the dashboard and command list, but not the device. The Hidden and Visible settings are ignored, and the Custom Button does not apply.

Select the activation status for each of the following:

• Anti Virus—If Anti Virus is enabled for the enterprise, the Active/Visible selection displays a Scan/Threats Detected button and a Security Settings selection on the device so that users can start a scan or change the default scan and virus update settings. On the dashboard home page, an Anti-Virus Activity section is displayed with an event count that users can select to view the list of events. The Active/Hidden selection hides the feature on the device and dashboard, but viruses, malware, and prohibited applications are detected on the device and deleted automatically or the user is prompted to remove them.

• Backup—The Active/Visible selection displays a Backup button on the device and a Backup and Restore button on the dashboard. Users can back up their personal contacts and calendar from the device, but they must use the dashboard (or contact an administrator) to restore the last backup. The Active/Hidden selection has the same effect as Inactive/Hidden.

• Monitor & Control—If Monitor & Control is enabled for the enterprise, the Active/Visible selection displays the Remote Monitoring button on the device so that users can view which items are monitored and whether GPS tracking is enabled. The dashboard is updated as follows:

• The Remote Monitoring section is displayed on the home page with counts of the monitored messages, calls, applications, and photographs that users can select to view lists of each item.

• The Alert Setup tab allows users to set up alerts based on the message content (if messages are monitored).

• The Reports tab allows users to view a Text and Email Monitoring report.

• The Settings page allows dashboard users to change the default monitor and control options for a device. The Active/Hidden selection hides the feature on the device and dashboard, but allows an administrator to view the device activity logs (see “Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices” on page 83).

Table 3: UI Mode Settings (continued)

Setting Description

• Anti Theft—The following buttons can be displayed on the dashboard home page. If any of these buttons is visible, an Anti Theft button is displayed on the device that allows users to view, and optionally change, the status of each feature. Active/Visible features are shown as enabled; Inactive/Visible features are shown as disabled. The Active/Hidden and Inactive/Hidden selections have the same effect.

• Wipe Device—The Active/Visible selection allows dashboard users to erase personal data from a device, depending on the device type (see “Pulse Mobile Security Features by Device Type” on page 91).

• Lock/Unlock Device—The Active/Visible selection allows dashboard users to lock or unlock a device.

• Scream Locate—The Active/Visible selection allows dashboard users to enable an alarm to help locate a device in the immediate area.

• Locate Device—The Active/Visible selection allows dashboard users to enable GPS reporting on a non-iOS device and view the device’s location on a map. To view the location of an iOS device, an administrator must enable GPS reporting on the device.

• Custom Button—The Active/Visible selection displays a customized button on the home page of the device and dashboard that users can select to purchase or cancel optional features. The Inactive/Visible selection also displays the button. Professional Services can configure the button and its associated URL.

Anti Virus Settings

The following settings apply to non-iOS devices when Anti Virus is enabled in the Enterprise General Settings.

Table 4: Anti Virus Settings

Setting Description

Disable Handset Prevents users from changing the antivirus settings, and the commands Modifications to enable or disable file scanning are not persistent. During periodic synchronizations with the gateway, the gateway settings override the settings on the device. Clear the check box to allow the device settings to override the gateway settings during each synchronization.

Scan SD Card on Enables scanning of a secure digital (SD) memory card when it is first Insert installed on the device.

Scan App on Install Enables scanning of applications when they are first installed on the device.

NOTE: Media files are not scanned. The media files that are skipped have the file extensions .gpp, .mkv, .mov, .mpg, .mp3, .mp4, .wav, .wma, .bmp, .gif, .jpg, .png, and .tif/.tiff.

Scan Inside Archives Enables recursive scanning of archive files that are contained within other archive files (Android devices only). The supported archive files are .zip, .gzip, and .jar.

Table 4: Anti Virus Settings (continued)

Setting Description

Android App Scan Select Days or Weeks and enter the number of days or weeks between Interval scans for malware on Android devices. To disable malware scanning, enter zero.

Monitor and Control Settings

The following settings apply to non-iOS devices when Control is enabled in the Enterprise General Settings.

Table 5: Monitor and Control Settings

Setting Description

Log Event Limit Number of events that are logged before they are uploaded to the server. An event is an instance of any logged item (e-mail, SMS or MMS message, phone call, or image). Higher values delay server updates, but minimize SMS charges and conserve battery life. Select Off to disable uploads based on the number of events.

NOTE: Device logs are uploaded to the gateway over HTTPS, not SMS.

Log Size Limit Maximum amount of file space used for the event log (we recommend 100K). The log can exceed this value, but if the log becomes full, an attempt to upload the log occurs after each event. Select Off to disable uploads based on the log size. If both the Log Event and Log Size limits are off, uploads occur only when requested from the management console or user dashboard.

NOTE: By default, log entries for the past three days are retained.

Log Email Saves all e-mails in the device log (not supported on Android devices).

Log SMS Saves all SMS messages in the device log.

Log MMS Saves the text portion of all MMS messages in the log on Symbian devices. Graphics are included only if they are saved on the device and the Log Images option is selected.

Log Voice Saves a record of each phone call in the device log, including date, time, and remote phone number.

Disable Voice Disables the ability to make phone calls (not supported on Blackberry devices).

Log Images Saves images in the log that are loaded on the device.

Log Web Images Saves images in the log that are accessed with the device Web browser (not supported on Android devices).

Retrieve Application Retrieves the list of installed applications each time an Android device is List synchronized with the gateway.

Table 5: Monitor and Control Settings (continued)

Setting Description

GPS Update Period Select how often a non-iOS device reports its GPS location to the gateway, or select Disable Updates to disable GPS reporting. For iOS devices (iPhones and iPads with 3G support), this setting can be specified in the MDM profile (see “Tracking (iOS Devices)” in “Adding and Editing MDM Profiles” on page 36). A device’s last reported location can be viewed on the GPS Tracking Report (see “Tracking Devices with GPS” on page 84).

Firewall Settings

The following settings apply to Windows Mobile and Symbian devices when Firewall is enabled in the Enterprise General Settings.

Table 6: Firewall Settings

Setting Description

Active Displays the firewall application on Symbian and Windows Mobile devices. Clear the check box to hide the application.

Disable Handset Prevents users from changing the firewall settings on the device. Clear Modifications the check box to allow the device settings to override the gateway settings during the periodic synchronizations with the gateway.

Security Level Select one of the following:

• Disable—Disables the firewall component.

• Allow—Permits all traffic that is not specifically blocked in the firewall profile rules.

• Block—Blocks all traffic that is not specifically allowed in the firewall profile rules.

Profile Select a set of firewall rules that specify the traffic to be allowed or blocked. To create firewall profiles, see “Managing Firewall Rules and Profiles” on page 57. If you have not defined any profiles, you can edit this setting later.

Antispam Settings

The following settings apply to Windows Mobile and Symbian devices when Anti Spam is enabled in the Enterprise General Settings.

Table 7: Anti Spam Settings

Setting Description

Active Displays the antispam application on Symbian and Windows Mobile devices. Clear the check box to hide the application.

Disable Handset Prevents users from changing the antispam settings on the device. Clear Modifications the check box to allow the device settings to override the gateway settings during the periodic synchronizations with the gateway.

Table 7: Anti Spam Settings (continued)

Setting Description

Block Short Codes Blocks SMS messages to or from short codes. Short codes are five- or six-digit SMS codes that serve as short phone numbers and are often used by premium SMS services. SMS messages from short codes are more likely to be spam than messages from regular phone numbers. Outgoing SMS messages to short codes can incur phone charges. Short codes are also used for instant messaging (IM) services. Blocking short codes increases security but also limits service to the client.

Profile Select a set of antispam rules that specify which phone and SMS numbers to block. To create antispam profiles, see “Managing Antispam Rules and Profiles” on page 60“Managing Antispam Rules and Profiles” on page 42. If you have not defined any profiles, you can edit this setting later.

Sim Change Settings

The following settings are used to lock or wipe a non-iOS device when the SIM card is changed.

Table 8: SIM Change Settings

Setting Description

Lock on SIM Change Locks a device if the SIM card is changed after the device is registered. Changing the SIM card changes the phone number, and disables communication with the gateway. This feature helps protect personal data if the phone is lost or stolen. Logging in with the user’s registration password unlocks the device and updates the phone number on the gateway.

NOTE: For a device that is registered automatically, the user must replace the SIM to unlock the device. Also, locking the device does not disable active background applications, such as a phone call or the music player.

Wipe on SIM Change Wipes the user data from a device if the SIM card is changed after the device is registered (Lock on SIM Change must be enabled). The data erased depends on the device type (see “Pulse Mobile Security Features by Device Type” on page 91). Note the following:

• On Android 2.2 (or later) devices that have the Device Administrator function enabled, the device is not locked, but a factory reset occurs that removes all applications installed by the user, including Junos Pulse. If the Device Administrator is disabled, the device is locked, and GPS Theft Mode and Monitor & Control logging is enabled.

• On Android 2.1 devices, the device is locked, and GPS Theft Mode and Monitor & Control logging is enabled. The contacts and history are wiped, but not the SD memory card.

Setting the Default Device Profile

A default device profile is applied to non-iOS devices when they register with an enterprise. By default, the AutomaticEnterpriseDefaultDeviceProfile is created for each new enterprise.

You can edit this profile or select another device profile as the default. To change the default profile, you must have the Edit Enterprise Settings user privilege.

To change the default profile from the Enterprise Settings page, select the Settings tab for the enterprise, and select the default profile, and select a new profile under Device Settings.

To change the default device profile from the Device Profiles page:

1. Select the Profiles tab for an enterprise, and click Device Profiles.

2. Select the check box next to the profile that you want to use as the default device profile for the enterprise, and click Set Default Device Profile.

In the Default column of the table, Default is shown next to the default profile. Changing the default profile affects only the non-iOS devices that register after the default profile is changed.

Deleting Device Profiles

Deleting a device profile removes it from the profiles list. Devices in the enterprise that have a deleted profile are sent an Update Profile command to install the current default profile. To delete the default profile, you must first select another device profile as the default. However, the AutomaticEnterpriseDefaultDeviceProfile profile that is created automatically for each enterprise cannot be deleted.

To delete one or more device profiles:

1. Select the Profiles tab for an enterprise, and then click Device Profiles.

2. Select the check box next to each profile you want to delete, and click Delete.

Related • Editing the Default Enterprise Policy Settings on page 13 Documentation • Managing MDM Profiles on page 36

• Managing Devices on page 67

Managing Firewall Rules and Profiles

The Pulse Mobile Security Gateway uses profiles to apply firewall policies to Windows Mobile and Symbian devices. You create firewall rules, group the rules into a firewall profile, and then apply the firewall profile to a device profile. The device profile can be assigned to an enterprise or specific devices. Device profiles assigned to an enterprise are applied to new devices when they register with the enterprise.

You can define firewall rules and profiles at the root, partner, and enterprise levels. Enterprise administrators can assign profiles that were created at the partner or root level, but enterprise administrators cannot change those profiles.

Adding Firewall Rules

To add a firewall rule:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Firewall Rules.

2. Click Add Rule, specify the following information, and click Save.

Setting Description

Name The name of the firewall rule (up to 50 characters). The name and IP address are required for a new rule, and the name must be unique.

Description A description of the rule’s purpose (up to 100 characters).

Type The action the rule performs (Allow or Block) on traffic that matches the specified IP address, port numbers, and direction. The default is Disable, which deactivates the rule until you change it to Allow or Block. The rule also has no effect if the IP field or a port field is left blank.

IP The IPv4 address of the traffic in dotted decimal format (such as 10.100.10.1). An address can include asterisks (*) to indicate any value from 0 to 255 (such as 10.*.10.*).

Min Port and Max The port number range (0 to 65535) of the traffic. For a single port, enter Port the same port number in both fields.

Directions The traffic direction (In, Out, or Both).

Modifying Firewall Rules

You can modify a firewall rule only at the level where it was created. For example, if a rule was created at the partner level, you must be a partner administrator to modify the rule. Modifying a rule affects all firewall profiles that include the rule. Any device that has an affected profile is updated by the next synchronization with the gateway or when the next Update Profile command is sent to the device.

To modify a firewall rule:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Firewall Rules.

2. Click the rule that you want to change.

3. When you finish editing the rule, click Save.

Deleting Firewall Rules

Use caution when deleting a rule. Deleting a rule removes it from the rules list and from all firewall profiles.

To delete one or more rules:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Firewall Rules.

2. Select the check box next to each rule you want to delete and click Delete, or click the delete icon next to each rule.

Adding Firewall Profiles

Before you create a profile, you should define all of the firewall rules that you want to include in the profile.

To add a firewall profile:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Firewall Profiles.

2. Click Add Profile, specify the following information, and click Save.

• Name—The name of the firewall profile (up to 50 characters). The name is the only required information for a new profile, and it must be unique.

• Description—A description of the profile’s purpose.

• Rules—A list of names of firewall rules. Select the rules you want to add to the profile, and click Add. To remove rules from the profile, select the rules from the list on the right, and click Remove.

Modifying Firewall Profiles

You can change a profile’s name, description, or rules. Any device that has the changed profile is updated by the next synchronization with the gateway or when the next Update Profile command is sent to the device.

To modify a firewall profile:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Firewall Profiles.

2. Click the profile you want to change.

3. Change the name or description, or use the Add and Remove buttons to change the rules in the profile.

4. When you finish editing the profile, click Save.

Deleting Firewall Profiles

Use caution when you delete profiles. Deleting a profile removes it from the profiles list, and any enterprise or device that specified the profile is reset to No Profile.

To delete one or more profiles:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Firewall Profiles.

2. Select the check box next to each profile you want to delete, and click Delete.

Related • Adding and Editing Device Profiles on page 49 Documentation

Managing Antispam Rules and Profiles

The Pulse Mobile Security Gateway enforces antispam policies through profiles. You create antispam rules to block incoming phone calls or SMS messages, group the rules into a profile, and then apply the profile to a device profile. The device profile can be assigned to an enterprise or specific devices. Device profiles assigned to an enterprise are applied to new devices when they register with the enterprise.

You can define Antispam rules and profiles at the root, partner, and enterprise levels. Enterprise administrators can assign profiles that were created at the partner or root levels, but enterprise administrators cannot change those profiles.

Adding an Antispam Rule

To add an antispam rule:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Antispam Rules.

2. Click Add Rule, and specify the following information:

• Phone Number—The phone number of incoming calls or messages that you want to block. This is the only required information.

• Description—Provides more information about the rule.

• Active—The status of the rule. The default setting is active.

• Block Type—The specified phone number can be blocked for incoming phone calls, SMS messages, or both. Blocked phone calls are diverted to voicemail.

3. Click Save to save the rule.

Modifying an Antispam Rule

Modifying a rule affects all antispam profiles that include the rule. Any device that has an affected profile is updated by the next synchronization with the gateway or when the next Update Profile command is sent to the device.

To modify a rule:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Antispam Rules.

2. Click the rule that you want to edit to open the edit dialog box.

3. When you finish making changes, click Save.

Deleting Antispam Rules

Use caution when deleting a rule. Deleting a rule removes it from the rules list and from all antispam profiles.

To delete one or more rules:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Antispam Rules.

2. Select the check box next to each rule you want to delete and click Delete, or click the delete icon next to each rule.

Adding an Antispam Profile

Before you create an antispam profile, you should define all of the antispam rules that you want to include in the profile.

To add an antispam profile:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Antispam Profiles.

2. Click Add Profile, and specify the following information:

• Name—The name of the profile (up to 50 characters). The name is the only required information for a new profile, and it must be unique.

• Description—A description of the profile.

• Rules—A list of phone numbers of the antispam rules. Select the rules you want to add to the profile, and click Add. To remove rules from the profile, select the rules from the list on the right, and click Remove.

3. Click Save to save your changes.

Modifying an Antispam Profile

To modify an antispam profile:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Antispam Profiles.

2. Click the profile you want to edit to open the edit dialog box.

3. Change the name or description, or use the Add and Remove buttons to change the rules in the profile.

Deleting Antispam Profiles

Use caution when you delete a profile. Deleting a profile removes it from the profiles list, and any enterprise or device that specified the profile is reset to No Profile.

To delete one or more profiles:

1. Select the Profiles tab for the root, a partner, or an enterprise, and then click Antispam Profiles.

2. Select the check box next to each profile you want to delete.

3. Click Delete.

Related • Adding and Editing Device Profiles on page 49 Documentation

This chapter describes how to create and manage user accounts. It is intended for both enterprise administrators and customer service personnel. Typically, customer service personnel modify and delete user accounts, but do not manage user groups.

• Managing User Accounts on page 63

• Managing User Groups on page 66

Managing User Accounts

A user account is created automatically when a device is registered with the Pulse Mobile Security Gateway. The e-mail address and password entered during a manual registration also can be used to log in to the gateway dashboard. For an automatic registration, the account name and password are manually defined on the gateway or supplied by a device identity server, in which case the administrator can send the account information to the user.

An enterprise setting can require administrators to manually create a user account before the user is allowed to register. Typically, user accounts are created automatically and administrator accounts are created manually. You also can create an administrator account by assigning an administrator role and user control list to an existing user account.

Adding a User Account

To create a user account:

1. Select the Users tab for the root, a partner, or an enterprise.

2. Click Add User Account and specify the following information:

• First Name—First name of the user.

• Last Name—Last name of the user.

• User Name—Name used to log in to the gateway. The user name must be an e-mail address.

• Password and Confirm Password—Passwords must contain at least 8 characters and cannot include the username.

3. Click Save to save the account.

To grant administrator privileges to a user account, you must define a user role, assign the role to the account, and then specify a user control list (see “Adding Administrator Accounts” on page 17).

Modifying User Accounts

For any user account, you can change the password, login name, account expiration date, or account status. A common task is to reset a forgotten password. A common task is to reset a forgotten password. Users can modify their own account by clicking My Account in the top panel.

To modify a user account:

1. Select the Users tab for the root, a partner, or an enterprise.

2. If user groups are defined, you can select a group from the list at the top of the page to view just the users in the group.

3. To limit the user list to specific criteria, select a field to search and a comparison operator (such as Equal To), and then enter a value and click Search.

For example, to view all users with gmail in the login name, select the Username field, select Like as the comparison operator, enter gmail as the value, and click Search.

4. Click the user account, and edit the following as required:

• First Name—First name of the user.

• Last Name—Last name of the user.

• Username—The username must be an e-mail address.

• Account Expiration Date—Click the calendar icon to select an expiration date for the account. When the account reaches its expiration date, the status changes to Deactivated, the user cannot log in to the gateway, and the user’s devices do not receive virus definition updates.

• Status—Choose one of the following:

• Active—User can log in to the gateway, and the user’s devices can receive updates from the gateway.

• Locked—User cannot log in to the gateway. If Account Lockout is enabled, this status is set after three unsuccessful login attempts.

• Deactivated—User cannot log in and device updates stop.

• To change the password, click Password in the left frame, and specify the old and new passwords for this account. Make note of the new password so that you can communicate it to the user. Passwords must contain at least 8 characters and cannot include the username.

5. Click Save Changes to save the account.

Deleting User Accounts

To delete user accounts:

1. Select the Users tab for the root, a partner, or an enterprise.

2. Select the check box next to the user accounts that you want to delete, and click Delete.

Related • Managing User Groups on page 66 Documentation • Managing Devices on page 67

Managing User Groups

User groups provide a convenient way to organize enterprise users and to send commands to all the devices registered by the users in a group. Users can belong to multiple groups, and a group can contain other groups.

If any user groups are defined, a list is displayed at the top of the page when you select the Users tab or User Groups under the Groups tab. If you select a group that contains other groups, another list is displayed for the subgroups.

To add or delete user groups:

1. Select the Groups tab for an enterprise, and click User Groups.

2. To add a new user group:

a. To add a group to an existing user group, select the user group from the list at the top of the page. If the selected group contains other user groups, you can select a subgroup.

b. Click Add User Group and specify the user group properties:

• Name—A unique group name (up to 36 characters).

• Notes—Additional information about the group.

c. Click Save to save the group and to close the window.

3. To delete user groups:

a. To delete a group from an existing user group, select the user group from the list at the top of the page.

b. Select one or more groups and click Delete.

To add or remove users from user groups:

1. Select the Users tab for an enterprise.

2. To add users to a group:

a. Select the check box for each user you want to add to a group.

b. Click Move To, select the target user groups, and then click Move.

3. To remove users from a group:

a. Select the user group from the list at the top of the page.

b. Select the check box for each user you want to remove, and click Remove From Group.

Related • Managing Device Groups on page 78 Documentation • Managing Devices on page 67

The following topics describe how to manage mobile devices:

• Managing Devices on page 67

• Managing Device Groups on page 78

Managing Devices

Mobile devices are added to the Pulse Mobile Security Gateway when users register the Pulse Mobile Security Suite software. Typically, users install the Junos Pulse Mobile Security Suite software from their phone’s application store, and then register the software by confirming a registration prompt or entering the license key provided by the gateway administrator.

The device record and user account can be added to the gateway in advance or they can be created automatically when a device is registered. Devices are managed by sending commands to devices and modifying device settings. You can also organize devices into groups, view reports for a specific group, and send commands to the devices in one or more device groups.

• Adding Devices Manually on page 67

• Modifying Device Settings on page 68

• Applying Profiles to Devices on page 72

• Sending Device Commands on page 73

• Backing Up and Restoring Personal Data on page 77

Adding Devices Manually

Devices can be registered by manually adding them to the gateway. When you add a device, the gateway sends an an e-mail to iOS devices or an SMS message to non-iOS devices. The message includes a license key, the Software Download URL specified in the Enterprise Settings page, and, for iOS devices, a registration link to the Juniper Networks gateway. Customer service personnel and enterprise administrators may need to add devices manually if automatic-registration fails for any reason, or if manual registration is the preferred method for an enterprise.

After the Pulse client is downloaded, the user is prompted for an e-mail address, password, and license key to register the device (iOS users must click the registration link). Windows

Mobile and Symbian device users can enter just the license key to register, in which case the IMEI number is used for the e-mail address (imei @a.a) and password.

NOTE: Non-iOS tablet devices must support SMS to receive the URL and license key from the gateway.

To add a device manually:

1. Select the Devices tab for the enterprise.

2. Click Add, and specify the following:

• Operating System—Select the operating system used on the device. If you select a non-iOS operating system, enter the phone number of the device, including the country code and area code. For example, enter 16035551212.

If you select iOS, specify the following:

• Email—Enter an e-mail address for the device.

• UDID or Wi-Fi MAC Address or JDID—Enter the Unique Device Identifier (UDID), the MAC address of the device’s WiFi adapter, or the Juniper device ID (JDID). Note the following:

• Use the MAC address only for iOS 6 and earlier devices that have version 4.2R3 or later of the Junos Pulse client. Enter the 12 hexadecimal digits of the MAC address without colons or other separators.

• For iOS 7 and later devices, only the JDID is supported. To obtain the JDID, the user must install the Junos Pulse client, tap the Copy ID button on the About screen, and paste the JDID into a message to send to the administrator. The JDID is saved in the DID field of the device.

• This field can be left blank if you have a device identity server (DIS) configured for pin-based registration.

3. Click Save. The gateway uses SMS or e-mail to send a Pulse download link and license key to the device.

Modifying Device Settings

Enterprise administrators and customer service personnel can change a device’s settings to enable additional features or resolve device and user issues. To change a device’s features, you can change the device and MDM profiles assigned to the device. You can also change the device user, phone number, registration status, license expiration date, and notes about the device. Some fields are view-only, such as device type, operating system, and Pulse client version.

NOTE: If a device is registered before the gateway is updated to release 4.2, the settings that are now in the device profile, such as Antivirus and Monitor and Control, are displayed as view-only. Assigning a device profile to the device removes the view-only settings, and you can then change the settings in the device profile (see “Adding and Editing Device Profiles” on page 49).

To view and manage device settings:

1. Select the Devices tab for an enterprise.

2. If device groups are defined, you can select a group from the list at the top of the page to view just the devices in the group.

3. To view only devices that match specific criteria, select the field to be searched from the Filter by list, enter or select a value, and click Search. Wildcard characters (such as * and ?) are not supported, but a match occurs on any field that contains the specified value. For example, to view all devices with phone numbers that start with 1614, select Device ID, enter 1614 as the value, and click Search. To remove the filter, click the Devices tab.

Note the following:

• The Device ID filter searches all possible device ID fields (DID, ESN, IMEI, IMSI, and UUID).

• The Ownership filter lets you search for devices by ownership (corporate, employee, or unknown). The ownership is unknown unless it is set by the Device Identity Server or through the management console.

• The Admin accepted selection lets you search for Android devices that have the Device Administrator enabled (Compliant) or disabled (Non-compliant).

• The Password enforced selection lets you search for Android devices that are compliant or noncompliant with the password policy in the MDM profile. A device that does not have a password defined is compliant if the MDM profile does not require a password.

4. In the Devices list, click a device to view or change the device settings. On the device details page, you can:

• Send commands to the selected device by clicking the arrowhead icon at the top of the page (see “Sending Device Commands” on page 73.

• View other devices registered to the same user in the current enterprise (if any) by selecting them from the View another device list.

• Select the user’s name to view the user’s account on the Users tab along with a list of all the user’s registered devices. You can select any device to return to the device details page.

NOTE: If the user has devices in multiple enterprises, the Users tab on the Partner page is displayed when you select the username. In this case, an error occurs if you do not have access to the partner.

5. Change the following fields, as needed, and click Save Changes. If you select Update device when saving at the bottom of the page, an Update Profile command is sent to the device; otherwise, the device is updated during the next synchronization.

Setting Description

General Settings

User Username created when the device is registered. If necessary, you can select another e-mail address to change the user of the device.

Phone Number Device phone number (MSISDN number). If the phone number changes, enter the new number here, including the country code and area code.

For tablet devices that do not have a phone, this field is blank and the device name is shown in the Phone/ID field on the Devices page.

Device Type Description of the device type. If this field is blank, the device operating system is shown in the Device Type column on the Devices page.

Operating System Operating system of the device.

Junos Pulse Version of the Junos Pulse client installed on the device.

Status The status can be any of the following: .

• Registered—The device is active.

• Not Registered—The device was added to the gateway manually, and the user has not initiated the registration process through the client software.

• Suspended—The device cannot communicate with the gateway (assigned manually).

• Deactivated—Same as the Suspended status.

• Denied—The device is registered, but the device profile could not be installed because the Topic value in the MDM device settings does not match the User ID in the Subject field of the certificate used by the gateway (iOS devices only).

• Pending—The device is registered, but the installation of the MDM profile is still pending (iOS devices only). If iOS devices are registered before an APNS certificate is installed, their status is Pending on the gateway, but Registered on the device. After the APNS certificate is uploaded to the enterprise, you must notify registered iOS users to uninstall and reinstall the Pulse client.

Click View Event Log to view recent log entries for the current device.

Setting Description

Ownership Owner of the device (company, employee, or unknown). The device ownership can be set manually or by the Device Identity Server during automatic registration. If automatic profile assignment is enabled for corporate- and employee-owned devices (see “Editing the Default Enterprise Policy Settings” on page 13), note the following:

• The Device Profile and MDM Profile selections for each device are disabled, unless the device ownership is unknown.

• The device and MDM profiles are updated automatically if the device ownership is changed (updates occur during the next synchronization with the gateway).

• The enterprise default profiles are assigned to a device if the ownership is unknown or automatic profile assignment is disabled for the enterprise.

Device Profile Profile applied to non-iOS devices that specifies the user interface, antivirus, monitor and control, firewall, antispam, and SIM change settings. Use the list box to select the device profile. The list box is disabled for iOS devices and for corporate- and employee-owned non-iOS devices if automatic profile assignment is enabled (see “Editing the Default Enterprise Policy Settings” on page 13). To create or change device profiles, see “Adding and Editing Device Profiles” on page 49.

MDM Profile Profile that contains the rules that are applied to iOS and Android devices. Use the list box to select the profile. If you select the blank entry from the list, a RemoveProfile command is sent to the device to delete the current profile. The list box is disabled for corporate- and employee-owned devices if automatic profile assignment is enabled (see “Editing the Default Enterprise Policy Settings” on page 13).To create or change MDM profiles, see “Adding and Editing MDM Profiles” on page 36.

Profiles created with the Apple IPCU utility and imported to the gateway cannot be selected for Android devices.

NOTE: Registered users who reinstall the Pulse client on iOS devices must manually delete the Juniper MDM.C profile under Settings > General-Profiles before the device can be reregistered.

UUID Universal unique identifier of the device.

IMEI International Mobile Station Equipment Identity is a number that identifies each GSM and WCDMA mobile phone. The number is usually printed inside the battery compartment of the device. For tablet devices that do not have a device identifier (DID), this field contains an ID number generated by the gateway during registration.

IMSI The International Mobile Subscriber Identity is a unique number associated with GSM and UMTS network phone users.

ESN The electronic serial number is used for cell phone tracking and activation in wireless carrier networks.

Setting Description

DID Device Identifier for iOS devices and some Android tablets. For iOS devices with Pulse client 4.2R3 (or later) this value is the MAC address of the WiFi adapter. For earlier versions of the Pulse client, this value is the iOS UDID. If you enter the MAC address manually, enter the 12 hexadecimal digits without colons or other separators.

Expiration Date Date the license expires. The expiration date cannot exceed 2031.

Password Policy Indicates whether the device is password protected (Android devices Status only). The status Policy Enforcement Request Made indicates the applied MDM profile requires a password, but the user has not yet defined one.

Device Encryption Indicates whether encryption of application data is enabled (Android Status devices only).

License Consumer license key for devices registered manually. This field is blank for devices registered automatically or with an Enterprise license.

Created Date Date and time the device was added.

Modified Date Date and time the device settings were last modified.

Last Command Sent Date and time of the last command sent to the device (iOS devices only).

Last Virus Update Date and time of the last update of the virus definitions (non-iOS devices Date only).

Last Sync Date Date and time of the last synchronization of the gateway settings with the settings on the device.

Notes Displays information retrieved from the device at registration time. You can enter additional notes, as needed.

Backup Data (non-iOS devices)

Backup Indicates the time and file size of the last backup of personal data from the device (if any).

Applying Profiles to Devices

When an iOS or Android device registers with an enterprise, an MDM profile defined by the enterprise is loaded on the device. Non-iOS devices also receive the device profile defined by the enterprise. You can change the profile assigned to one or more devices by applying a new profile. When a profile is applied to one or more devices, the Update Profile command is sent to each device, which prompts the device to download the new profile.

NOTE: If automatic profile assignment is enabled for corporate- and employee-owned devices (see “Editing the Default Enterprise Policy Settings” on page 13), you can apply a new profile to a device only if the ownership is unknown. To change the profiles for corporate- and employee-owned devices, you must change the device ownership or change the enterprise profile settings.

To apply a device or MDM profile to one or more devices:

1. Select the Devices tab for the enterprise.

2. Use the filter to locate specific devices. For example, if you know the device phone number, enter all or part of the number in the Device ID field, and click Search. To remove the filter, click the Devices tab.

3. In the Devices list, select the check box next to the devices where you want to change the profile, and click Apply MDM Profile, or Apply Device Profile. When changing the MDM profile, an error occurs if all selected devices are not Android or iOS.

NOTE: Imported profiles apply only to iOS devices, and are excluded from the list of MDM profiles if one or more Android devices is selected.

4. In the displayed list of profiles, select the profile that you want to apply to the selected devices, and click Save. To find a specific profile, begin typing part of the profile name or description in the Search text box.

After you apply a profile, the Last Sync date on the Devices page is updated when the profile is loaded on the device. You can also use the Command History report to verify that the command was acknowledged and processed (see “Viewing Reports” on page 79).

Sending Device Commands

After you update a device’s settings, you can send an Update Profile command that prompts the device to get the latest settings from the gateway. You also can use device commands to enable or disable features, initiate a virus scan, back up a device’s contacts and calendar information, or send messages to Android devices. Some commands are sent only by the system or as a result of other actions by the administrator.

Customer service personnel typically execute just a few of these commands to resolve customer issues. The Update Profile command is commonly used after device settings are changed. Users might also need assistance to unlock their handset or enable or disable GPS location services on their device.

Commands are sent to iOS devices using APNS and to non-iOS devices using SMS. Optionally, GCM can be used for Android devices. Each command is encrypted, device-specific, and sent only once. After a command is sent, use the Command History report to verify that the command was acknowledged and processed (see “Viewing Reports” on page 79).

NOTE: Command delivery may take several minutes and, while highly reliable, is not guaranteed. Also, device commands cannot be sent over Wi-Fi or to non-iOS devices that do not support SMS (such as some non-iOS tablets).

To send commands to devices:

1. Select one of the following tabs for an enterprise:

• Devices

• Users

• Groups

2. Select the individual devices, users, device groups or user groups where you want to send commands. For users or user groups, commands are sent to the devices registered to the users.

3. Click Send Commands, select the commands you want to send, and click Process. Table 9 on page 74 describes the commands that you can select, plus other commands that are the result of other actions. Note the following:

• If you select an iOS device, only the universal commands are displayed.

• If you select only non-iOS devices, both universal and non-iOS commands are displayed. Some commands are hidden if the associated feature is inactive on the device (see the UI Mode settings in “Adding and Editing Device Profiles” on page 49). If you select non-iOS devices that have different features enabled, only the commands available to all devices are displayed.

NOTE: The name shown in parentheses for each universal command is the name displayed on the Command History report for iOS devices. For example, on the Command History report, the Update Profile command is shown as Install Profile for iOS devices, and Update Profile for all other device types.

Table 9: Device Commands

Command Description

Universal Commands

Update Profile Updates all the settings on the device. (Install Profile)

Retrieve Application Retrieves a log of the applications installed on the device. To view the List retrieved log, click the Apps button for the device on the Monitor and (Retrieve Installed Control report (see “Viewing the Applications, Contacts, Pictures, and Application List) Messages on Managed Devices” on page 83). This command is also sent if you click Retrieve List in the list of applications on the report.

Table 9: Device Commands (continued)

Command Description

Handset Wipe Erases personal data from each device, depending on the device type (see (Erase Device) “Pulse Mobile Security Features by Device Type” on page 91). Note the following:

• For Android and Blackberry devices, this command is displayed only if the Wipe Device feature is enabled.

• For iOS and Android 2.2 (or later) devices that have the Device Administrator function enabled, a factory reset occurs that removes all applications installed by the user, including Junos Pulse. This command has no effect on Android devices that have the Device Administrator disabled.

• On Android 2.1 devices the SD memory card is not erased.

• On iPhones prior to the iPhone 4, it can take approximately one hour to wipe each 8 GB on the device.

Handset Lock Locks a device to prevent a lost or stolen device from being used. For (DeviceLock) Android and Blackberry devices, you can specify a passcode and select the check box to e-mail the passcode to the user. Note the following:

• For Android and Blackberry devices, this command is displayed only if the Lock/Unlock Device feature is enabled.

• For Android devices, if the Device Administrator is enabled and a passcode is defined on the device, the existing passcode is used to lock the device, and the passcode in the command is ignored. If the Device Administrator is disabled or a passcode is not defined on the device, the device is not locked unless the command includes a passcode.

• For Blackberry devices, if the command is sent without a passcode, the device is locked with the passcode entered during manual registration. For devices registered automatically, a passcode is generated on the device.

A locked device can be unlocked by sending a Handset Unlock command. Android and Blackberry devices also can be unlocked by entering the passcode on the device. For iOS devices that do not have a passcode, a swipe gesture will unlock the device.

NOTE: Locking the device does not disable active background applications, such as a phone call or the music player.

Handset UnLock Unlocks a locked device or clears the passcode on iOS devices so that (Clear Passcode) users can enter a new password to unlock the device. For Android and Blackberry devices, if the Lock/Unlock Device feature is enabled, you can specify a blank passcode to unlock the device or specify a new passcode and select the check box to e-mail the new passcode to the user. The user must enter the new passcode to unlock the device.

NOTE: For Android devices, if the Device Administrator is enabled and a passcode is defined on the device, the new passcode replaces the existing one only if it satisfies the device passcode policy. A blank passcode unlocks the device only if the device allows an empty passcode and encryption is not enabled.

Table 9: Device Commands (continued)

Command Description

Application Message Sends a message to the Pulse client on Android devices, or the service registration (SR) application on iOS devices. The message triggers an alert on the device. For Android devices, the message is sent over SMS if GCM is not available. For iOS devices, an APNS certificate for the SR application must be obtained from Apple and imported to the gateway (see “Configuring APNS Application Certificates” on page 28).

Specify the following:

• Message—Text of the message. To include a URL, enclose the link text in square brackets and specify the URL in the URL field. Users do not see the brackets if a URL is specified. For example: Click [here] to view an important security alert. The maximum message length, counting the URL, is 94 characters for Android devices and 130 characters for iOS devices.

• URL—Optional URL to be associated with the link text in the message (must start with http:// or https://). If the URL is device-specific, you can append placeholders to the URL for one or more device identifiers, and the Pulse client will insert the appropriate values in the braces. The general format is: http://.../?msisdn={}&imei={}&imsi={}&did={}

• Time to live—Optional number of minutes (up to 44640) before the message is deleted automatically from the device. If the value is zero or blank, the message is retained until deleted manually.

NOTE: Application messages also can be sent using the gateway API.

Non-iOS Commands

Scan Handset Scans the device’s file system or secure digital (SD) memory card for Scan Card viruses (the Anti Virus feature must be enabled).

Update Virus Sends the latest virus definitions to each device. Definitions

Retrieve Logs Retrieves the device’s message log (the Monitor & Control feature must be enabled). To view the message log, click the Messages button for the device on the Monitor and Control report (see “Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices” on page 83). This command also is sent if you click Retrieve List in the list of messages on the report.

Handset Backup Backs up the device’s contact list and calendar on the gateway (the Backup feature must be enabled).

Handset GPS Sends the current GPS location of each device to the gateway (the Locate Location Device feature must be enabled).

Alarm On Turns the device alarm on or off. The alarm is used to help locate a lost Alarm Off device (the Scream Locate feature must be enabled).

Table 9: Device Commands (continued)

Command Description

GPS Theft On Turns the GPS theft mode on and off (the Locate Device feature must be GPS Theft Off enabled). The GPS Theft On command enables GPS on the device (if it is disabled) and sends GPS updates to the server every 2 or 3 minutes. The GPS Theft Off command restores GPS updates to the frequency specified by GPS Update Period setting for the device.

Restore Personal Restores the device’s contact list and calendar from the last backup (the Data Backup feature must be enabled).

Other Commands

Retrieve Device Issued when an iOS device is registered. Information Install Profile

Remove ActiveSync Issued when, in an MDM profile, the check box to require Exchange Profile ActiveSync settings is cleared. The ActiveSync settings are kept in a separate profile on iOS devices.

Remove Profile Issued when the blank profile is selected for an Android or iOS device (used to delete the MDM profile so that the device can be reregistered).

Remove Application Issued when an application is removed from a device using the App Revocation List (see “Removing Applications From Managed Devices” on page 82).

Send Contact Log Issued when you click Retrieve List in the contact log for a device on the Monitor and Control report (see “Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices” on page 83).

Backing Up and Restoring Personal Data

The personal contact list and calendar on non-iOS devices can be backed up and restored by an enterprise administrator and some device users. Users can initiate a backup from the Pulse client on the device. If the enterprise allows access to the gateway dashboard, users can use their registration e-mail address and password to log in to the dashboard and restore their last backup.

For users who do not have access to the dashboard or who register without entering an e-mail address and password, the administrator can perform the restore or provide a login account for the dashboard.

The restore process does not overwrite anything. To avoid creating duplicate entries on a device, the administrator or dashboard user may want to issue a Handset Wipe command before restoring a backup.

Related • Editing the Default Enterprise Policy Settings on page 13 Documentation • Managing MDM Profiles on page 36

• Managing Device Profiles on page 49

• Viewing Reports on page 79

Managing Device Groups

Device groups let you view devices by group, send commands to the devices in one or more groups, and view reports for the devices in a specific group. Devices can belong to multiple groups, and each group can contain other groups.

If any device groups are defined, a list is displayed at the top of the page when you select the Devices, Groups, or Reporting tabs. If you select a group that contains other groups, another list is displayed for the subgroups.

To add or delete device groups:

1. Select the Groups tab for an enterprise

2. To add a new device group:

a. To add a group to an existing device group, select the device group from the list at the top of the page. If the selected group contains other device groups, you can select a subgroup.

b. Click Add Device Group and specify the user group properties:

• Name—A unique group name (up to 36 characters).

• Notes—Additional information about the group.

c. Click Save to save the group and to close the window.

3. To delete device groups:

a. To delete a group from an existing device group, select the device group from the list at the top of the page.

b. Select one or more groups and click Delete.

To add or remove devices from device groups:

1. Select the Devices tab for an enterprise.

2. To add devices to a group:

a. Select the check box for each device you want to add to a group.

b. Click Move To, select the target device groups, and then click Move.

3. To remove devices from a group:

a. Select the device group from the list at the top of the page.

b. Select the check box for each device you want to remove, and click Remove From Group.

Related • Managing User Groups on page 66 Documentation • Managing Devices on page 67

This chapter describes how to use the reporting features. Generally, these reports are used only by administrators, but customer service personnel may use them occasionally to resolve customer issues.

• Viewing Reports on page 79

• Removing Applications From Managed Devices on page 82

• Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices on page 83

• Tracking Devices with GPS on page 84

• Viewing the Gateway and Change History Logs on page 85

• Viewing Device Compliance Messages on page 86

Viewing Reports

The reports provided with the Pulse Mobile Security Suite let you view lists of the registered devices, discovered viruses or malware, and the date and time of the last updates to the device settings. You can also view the monitored content for each device, remove applications from selected devices, map the location of a lost device, and verify the execution of device commands.

To view reports:

1. Select the Reporting tab for the root, a partner, an enterprise, or a device group.

2. Click the name of the report you want to view. For most reports you can:

• Use filters to limit the report to specific criteria. Select a field to be searched and a comparison operator (such as Equal To), enter a value, and then click Search. To specify another filter, click Add Filter.

NOTE: If you specify multiple filters, only records that match all of the filter criteria are displayed.

• Export up to 1000 records to an Excel or tab-separated variable (TSV) file. Use the filters to limit the report to 1000 records or less.

Report Name Description

Summary Displays a pie chart of the types of discovered viruses, a bar chart of device registrations, and the last 10 discovered viruses and registered devices.

Virus Discovery Lists the viruses found on devices. The report lists the Virus Name, Device Alerts Firmware, Virus Filename, Handset Identification (IMEI, IMSI, MSISDN), and the date discovered.

Profile Update Lists the date and time of each device update and indicates whether the Report device’s profiles were updated (Yes or No). A No indicates something more specific was updated, such as the virus definitions.

Registration Report Lists the database registration information for each device, including the IMEI, IMSI, DID, MSISDN, ESN, and Created Date.

Software Update Lists the software updates that were pushed to devices by the Pulse Mobile Report Security Gateway. The reports lists the Build, New Version, Old Version, Handset Identification, and Date for every update transaction.

Monitor and Control Lists the devices that have sent log updates to the gateway for the types Report of data the device is monitoring (e-mail, SMS and MMS messages, and pictures). You can view the logs of monitored data, as well as the contacts and applications on each device (see “Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices” on page 83).

App Revocation Lists the applications that were removed from devices by an administrator. Report The report lists the Application Name, Status of removal, Handset Identification, and Date processed.

App Revocation List Lists the applications installed on the managed devices. You can use the list to remove applications from devices that support this feature (see “Removing Applications From Managed Devices” on page 82).

GPS Tracking Report Lists the last reported location in the Global Positioning System for all devices that have a GPS Update period specified or have received the GPS Theft On command. The report includes the Handset Identification, GPS Type, Latitude, Longitude, and the last Captured Date/Time. Click the icon in the Map It column to view the last device location (see “Tracking Devices with GPS” on page 84).

Report Name Description

Command History Lists the commands issued to devices from the Pulse Mobile Security Gateway. The most recent commands are listed first. The following fields indicate whether the command was processed successfully:

• Status—For non-iOS devices, indicates whether the SMS message was delivered to the device (PROCESSED or FAILED). The FAILED status can occur if the device is turned off or the phone number is incorrect (such as when the country code is missing), or the SMS or GCM service is down or not configured correctly for the enterprise. For iOS devices, the status can be one of the following:

• i_Created—The command was created.

• i_Pushed—The command was sent to Apple’s APNS server.

• i_Pulled—The device is obtaining the command from the gateway.

• i_NotNow—The device received the command but cannot respond immediately. The device will respond when the command is executed.

• i_Executed—The device executed the command successfully.

• i_Error—The command cannot be executed (the Ack Reason field may have more information).

• i_FormatError—The command has a protocol-level error.

• i_EmptyProfile—A profile with only the general and GPS settings is being loaded on the device.

• Ack Status—Indicates whether the device executed the command successfully (true or false). A false status can occur if the device does not support the command.

• Ack Reason—Indicates whether a command was executed or a message was received. May provide more information when the Status field is FAILED or i_Error or the Ack Status field is false. This field can also indicate when a Handset Wipe command is complete, and the number of viruses found by a Scan Handset command.

Report Name Description

Android Malware Lists the malware, suspicious, and prohibited applications detected on Android devices, depending on the selection in the View Detections By menu:

• Device—Lists the device ID and user name for each device that has installed, removed, or allowed one or more malware, suspicious, or prohibited applications, and the number of each (only suspicious applications can be allowed). Select a device to view the package name, application name, detection date, and status (installed, removed, or allowed) of each application detected on the device. The detection date is the date of the scan.

• Any Type—Lists the package and application name of each malware, suspicious, or prohibited application detected on one or more Android devices, and the number of devices where the application has been installed, removed, or allowed. Select an application to view the user name, detection date, and status for each device that where the application was detected.

• Malware—Lists the malware applications detected, and the number of devices where each application has been installed or removed.

• Prohibited—Lists the prohibited applications detected, and the number of devices where the application has been installed or removed.

• Suspicious—Lists the suspicious applications detected, and the number of devices where the application has been installed, removed, or allowed.

To find all devices, users, or applications that include some specific text in the name, enter the text in the box next to the Search button, and click Search.

Related • Removing Applications From Managed Devices on page 82 Documentation • Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices on page 83

• Tracking Devices with GPS on page 84

Removing Applications From Managed Devices

You can view the applications that reside on managed devices and remove applications from selected devices (currently supported only on some Android devices). Deleting an application sends a Remove Application command to each device.

NOTE: Users are not notified when an application is removed from their device, and are not prevented from reinstalling the application.

To view and remove device applications:

1. Select the Reporting tab for the root, a partner, an enterprise, or a device group.

2. Click App Revocation List to display a list of all of the applications that reside on the managed devices.

The applications list is retrieved when the device is registered. To update the list, issue the Send App Log command to the device. Alternatively, you can select the Monitor and Control Report, click Apps to view the applications on a specific device, and then click Retrieve List to update the list.

Because of differences in how different devices handle applications, the list might not show every application on the device.

3. To filter the revocation list by application name, click Add Filter, specify the filter criteria, and click Run Report.

4. Click an application to display a list of devices where that application is installed.

5. To remove the application from all devices, click Remove Apps in All Devices. To remove the application from specific devices, select the check boxes for the appropriate devices, and click Remove Apps for Selected Devices.

Related • Managing Devices on page 67 Documentation • Viewing Reports on page 79

Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices

You can view logs of the applications, contacts, pictures, and messages that reside on managed devices (iOS devices provide only the application log). The inventory of these items is created on-request to create a real-time view of the content on managed devices. The content of the message log depends on the device log settings for e-mail, MMS, and SMS messages.

NOTE: The Contact Log on the gateway is cumulative, so that it retains entries that have been deleted from the device.

To view applications contacts, pictures, and messages that reside on managed devices:

1. Select the Reporting tab for the root, a partner, an enterprise, or a device group.

2. Click Monitor and Control Report. The report lists each device, and each device record includes a set of buttons that let you view the applications, contacts, pictures, and messages on the device.

3. Click a button in a device record to display the items that reside on the device according to the last log update.

4. Click Retrieve List to retrieve the most recent data from the device. The retrieval may take a few minutes.

Related • Managing Devices on page 67 Documentation • Viewing Reports on page 79

Tracking Devices with GPS

Mobile devices that support the Global Positioning System (GPS) can report their location to the Pulse Mobile Security Gateway, and the location can be displayed on a map. GPS data is reported by all devices that have a GPS Update period specified or by non-iOS devices that receive a GPS Theft On command.

To view a device’s location:

1. In the navigation panel, select the root, a partner, an enterprise, or a device group, and then select the Reporting tab.

2. Click GPS Tracking Report. For each device, the report lists the GPS type and the last reported latitude and longitude. Note that a GPS type of network indicates that cell-tower triangulation is used to locate the device, which is less accurate (up to a few hundred feet) than GPS or Assisted GPS.

3. Click the Map It icon for a device to view the device’s location.

NOTE: The accuracy of location information can be affected by many environmental factors. Devices that have no location data will report 0.0 as their location.

Related • Managing Devices on page 67 Documentation • Viewing Reports on page 79

Viewing the Gateway and Change History Logs

You can view the entries in the gateway log by date and hour, and save the displayed log entries to a text file. The Change History log records each user action, including the user’s login name, IP address, and the details of the change (if any).

To view the gateway and change history logs:

1. Select the Logs tab for the root or an enterprise.

2. To view the gateway log:

a. Use the following filters to view specific log entries:

• Select Device ID or Event Type, select a comparison operator (such as Equal To), and enter or select a value. The device ID value can be all or part of the DID, ESN, IMEI, IMSI, or UUID. To specify another device ID or event type, click Add Filter. Note the following event types:

Event Type Log Entries and Event Codes

Console All console operations, except device commands, reports, and MDM updates (EV0035-EV0044, EV0047, EV0049, EV0058-EV0061).

MDM All entries related to device MDM updates (EV0063).

Web Requests and posts processed by the gateway webserver (EV0028, EV0029).

• Select the date and hour of the log entries you want to view. To view only the log entries that contain a specific text string, enter the text in the Keyword field.

NOTE: If you specify multiple filters, only entries that match all of the filter criteria are displayed.

b. Click Search to display the matching log entries. The most recent entries are listed first.

c. To save the displayed log entries to a text file, click Download.

3. To view the Change History log, click Change History. The most recent entries are listed last.

Related • Viewing Device Compliance Messages on page 86 Documentation • Viewing Reports on page 79

Viewing Device Compliance Messages

Android devices report to the gateway when a device compliance parameter is changed. These compliance messages are written to the gateway log and are used to generate syslog messages if a syslog server is defined for the gateway.

The format of the log message is:

EV00nn - [enterpriseID] [DeviceComplianceCheck] DCP00nn:text [deviceIDs]

Table 10 on page 86 describes the message codes and the compliance parameters.

Table 10: Device Compliance Parameters

Code Text Description

EV0064 Device is compliant with the parameter specified in the message

EV0065 Device is NOT compliant with the parameter specified in the message

DCP0001 SDK Level Android SDK version (all devices are compliant, no syslog message generated)

DCP0002 Administrator Privilege Status of the Device Administrator Granted

DCP0003 Virus Number of discovered viruses changed to zero (compliant) or from zero to nonzero (noncompliant)

DCP0004 Malware Number of malware applications changed to zero (compliant) or from zero to nonzero (noncompliant)

DCP0005 Suspicious Number of suspicious applications changed to zero (compliant) or from zero to nonzero (noncompliant)

DCP0006 Blacklisted Number of prohibited applications changed to zero (compliant) or from zero to nonzero (noncompliant)

DCP0007 Last Full Scan Time of last virus scan (all devices are compliant, no syslog message generated)

DCP0008 Password Status of device password (enabled status is compliant; disabled status is noncompliant if the MDM profile requires a password)

DCP0009 Storage Encryption Status of device encryption (enabled status is compliant; disabled status is noncompliant if the MDM profile requires encryption)

DCP0010 Rooted Status of full (root) access to the operating system (disabled status indicates compliance)

Related • Viewing the Gateway and Change History Logs on page 85 Documentation

• Viewing Reports on page 79

• Summary of Supported Features on page 91

This appendix provides a summary of the available features for each type of device. Each deployment can be customized to include or exclude specific features.

Pulse Mobile Security Features by Device Type

Table 11 on page 91 indicates the Pulse Mobile Security features supported by each type of device. Table 12 on page 93 indicates the data erased for each device by the Handset Wipe command.

Table 11: Feature Support by Device Type

Windows Feature Android Blackberry iOS Symbian Mobile

Alarm On/Off ✓ ✓ ✓ ✓

Antispam ✓ ✓

Antivirus ✓ ✓ ✓ ✓

Application Inventory ✓ ✓ ✓ ✓ ✓

Application Messages ✓ SR only

Application Removal ✓ ✓ ✓ ✓

Automatic Registration ✓ ✓ ✓

Backup/Restore Contacts & Calendar ✓ ✓ ✓ ✓

Contacts Log ✓ ✓ ✓ ✓

Control Device Encryption ✓

Control SD Card Encryption Samsung

Dashboard Web Portal ✓ ✓ ✓ ✓ ✓

Device Identity Servers ✓ ✓ ✓

Table 11: Feature Support by Device Type (continued)

Windows Feature Android Blackberry iOS Symbian Mobile

Disable Voice ✓ ✓ ✓

Enterprise VPN support ✓ IPsec to SRX ✓ ✓

Exchange provisioning ✓ ✓

Firewall ✓ ✓

GPS Location/Tracking ✓ ✓ ✓ ✓ ✓

GPS Theft On/Off ✓ ✓ ✓ ✓

Images Log ✓ ✓ ✓ ✓

Lock/Unlock Handset ✓ ✓ ✓ ✓ ✓

Lock on SIM Change ✓ ✓ ✓ ✓

Log Event/Size Limits ✓ ✓ ✓ ✓

Log E-Mail ✓ ✓ ✓

Log Images ✓ ✓ ✓ ✓

Log MMS Messages ✓

Log SMS Messages ✓ ✓ ✓ ✓

Log Web Images ✓ ✓ ✓

Malware Scan Interval ✓

Monitor and Control Report ✓ ✓ ✓ ✓ ✓

Passcode Requirements ✓ ✓

Policy Based Client UI ✓ ✓

Prohibited Applications ✓

Restrictions on device usage ✓ ✓

Scan Card ✓ ✓ ✓ ✓

Scan Handset ✓ ✓ ✓ ✓

Table 11: Feature Support by Device Type (continued)

Windows Feature Android Blackberry iOS Symbian Mobile

Service Bundles ✓ ✓

SCEP server support ✓

Update Profile ✓ ✓ ✓ ✓ ✓

Update Virus Definitions ✓ ✓ ✓ ✓

Voice Log ✓ ✓ ✓ ✓

VPN provisioning ✓ ✓

VPN strong authentication (PKI or 2FA) ✓ ✓ ✓

Wi-Fi provisioning ✓ ✓

Wipe Handset ✓ ✓ ✓ ✓ ✓

Wipe on SIM Change ✓ ✓ ✓ ✓

Table 12: Personal Data Erased by Handset Wipe Command

Android (2.2 Personal Data and higher) Blackberry iOS Symbian Windows Mobile

Appointments Factory reset (if ✓ Factory ✓ ✓ the Device reset Administrator is Calendar Memos N/A ✓ N/A enabled)

Calendar ToDos ✓ ✓ N/A

Call History ✓ ✓ ✓

Contacts ✓ ✓ ✓

E-mail Boxes ✓ ✓ ✓

Memory Card ✓ ✓

Notes N/A ✓

SMS and MMS Both SMS

Tasks N/A ✓

NOTE: On Android 2.2 and later devices, the wipe command has no effect if the Device Administrator is disabled. On Android 2.1 devices, only the Call History, Contacts and SMS messages are erased.

• Index on page 97

C C2DM settings...... 25 carrier-based routing...... 25 Index certificates creating for the Control Center...... 31 importing for device identity servers...... 24 A importing for the Control Center and Signature Update Server...... 32 accessing the gateway...... 8 importing for the MSG...... 24 Ack status, command...... 81 Change History log...... 85 ActiveSync Exchange settings for MDM profiles...... 37 check-in period, iOS...... 14 administrator accounts, adding...... 17 ClearPasscode command...... 75 aggregator settings, SMS...... 25 Command History Report...... 81 alarm commands...... 76 commands, sending...... 73 Android default MDM profile...... 14 connectivity settings for MDM profiles...... 44 Android Malware Report...... 82 console, using...... 8 Android malware scanning interval...... 54 Consumer license...... 12 Anti Theft buttons...... 53 contacts, viewing...... 83 antispam Control Center...... 30, 32 rules and profiles...... 60 cookies...... 8 settings in device profiles...... 55 count of licensed devices...... 12 antivirus country-based routing...... 25 enabling for an enterprise...... 13 CSR for MDM APNS certificates...... 16 reports...... 80 customer support...... x settings in device profiles...... 53 contacting JTAC...... x signature updates...... 30 Update Virus Definitions command...... 76 D APNS certificates dashboard access, allowing...... 13 for application messages...... 28 dashboard login page URLs...... 26 for MDM profiles...... 16 default device profiles...... 56 App IDs...... 28 default MDM profiles...... 48 App Revocation List...... 80 device groups...... 78 App Revocation Report...... 80 device identity servers...... 23 Application APNS certificates...... 28 device profiles Application Message command...... 76 adding and editing...... 49 applications applying to devices...... 72 prohibiting...... 35 deleting...... 57 removing...... 82 setting based on device ownership...... 17 viewing...... 83 setting on a device...... 71 archives, scanning...... 53 setting the enterprise default...... 17, 56 authentication settings for MDM profiles DeviceLock command...... 75 SCEP servers...... 43 devices Wi-Fi connections...... 45 adding...... 67 automatic profile assignment...... 17 applying profiles...... 72 automatic registration...... 22 modifying...... 68 B registering...... 21 backup and restore personal data...... 77

sending commands to...... 73 Lock and Wipe commands...... 75 viewing monitored data...... 83 lock or wipe on SIM change...... 56 documentation logs comments on...... x retrieving device message log...... 76 settings in device profiles...... 54 E system severity level...... 26 encryption on Android devices...... 38 viewing gateway...... 85 enterprise code...... 12 enterprises M adding...... 12 malware scanning interval, Android...... 54 editing...... 13 Malware Signature Update servers...... 30, 33 EraseDevice command...... 75 malware signature updates...... 30 Exchange settings for MDM profiles...... 37 management console, using...... 8 expiration date, license...... 12 managing devices...... 67 exporting MDM profiles...... 47 manual registration...... 21 manuals F comments on...... x features by device type...... 91 MDM APNS certificates...... 16 firewall MDM profiles rules and profiles...... 57 adding and editing...... 36 settings in device profiles...... 55 applying to devices...... 72 deleting...... 49 G importing and exporting...... 47 GCM settings...... 25 setting based on device ownership...... 17 GPS Location command...... 76 setting on a device...... 71 GPS Theft commands...... 77 setting the enterprise default...... 14, 48 GPS Tracking Report...... 80, 84 memory card GPS Update Period scanning...... 53, 76 for Android devices...... 55 wiping...... 75, 93 for iOS devices...... 46 message log, retrieving...... 76 messages, viewing...... 83 H minimal UI...... 51 handset lock and wipe commands...... 75 Mobile Threat Center (MTC)...... 30 Help menu...... 9 monitor and control hidden Wi-Fi networks, accessing...... 45 enabling for an enterprise...... 13 report...... 80 I settings in device profiles...... 54 IMEI used for account name and password...... 8 importing and exporting MDM profiles...... 47 O Install Profile command...... 74, 77 ownership iOS commands...... 74 setting on a device...... 71 iOS default MDM profile...... 14 setting ownership-based profiles...... 17 IPCU utility...... 47 P J partners, adding...... 11 JavaScript...... 8 passcode requirements for MDM profiles...... 38 password L changing...... 64 license key for managed devices...... 12 default...... 8

permissions in user roles...... 18 SCEP settings for MDM profiles...... 43 pictures, viewing...... 83 SD card Profile Update Report...... 80 scanning...... 53, 76 profiles wiping...... 75, 93 antispam...... 60 security UI...... 51 applying to devices...... 72 Send Contact Log command...... 77 device...... 49 severity level, system log...... 25 firewall...... 57 Signature Update servers...... 30, 33 MDM...... 36 signature updates...... 30 prohibited applications...... 35 SIM change, lock or wipe on...... 56 provisioning profiles...... 28 SMS aggregator settings...... 25 Software Download URL...... 14, 67 R Software Update Report...... 80 registering devices...... 21 SR application Registration Report...... 80 configuring APNS certificates...... 28 registration status...... 70 sending application messages...... 76 Remove ActiveSync Profile command...... 77 status Remove Application command...... 77 command...... 81 Remove Profile command...... 71, 77 device registration...... 70 reports Summary Report...... 80 Android Malware Report...... 82 support, technical See technical support App Revocation List...... 80 system log severity level...... 25 App Revocation Report...... 80 Command History Report...... 81 T GPS Tracking Report...... 80 technical support Monitor and Control Report...... 80 contacting JTAC...... x Profile Update Report...... 80 tracking devices...... 84 Registration Report...... 80 Software Update Report...... 80 U Summary...... 80 UI Button Mode...... 52 Virus Discovery Alerts...... 80 UI Mode...... 51 Restore Personal Data command...... 77 universal commands...... 74 restrictions in MDM profiles...... 39 Update Profile command...... 74 Retrieve Application List command...... 74 update schedule Retrieve Device Information command...... 77 for GPS location...... 46, 55 Retrieve Installed Application List command...... 74 for iOS devices (check-in)...... 14 Retrieve Logs command...... 76 for non-iOS devices...... 50 roles user accounts, adding...... 20, 63 adding...... 18 user control lists, assigning...... 21 assigning...... 21 user groups...... 66 overview...... 4 UUID rules for devices...... 71 antispam...... 60 for enterprises...... 14 firewall...... 57 V S virus definition list...... 9 scan commands...... 76 Virus Discovery Alerts...... 80 scanning interval, Android malware...... 54 voice log...... 54 scanning options...... 53 VPN settings for MDM profiles...... 41

W Wi-Fi settings for MDM profiles...... 44 Wipe command, data erased by...... 93