EMM 10.1 Installation Guide

Installation Guide

McAfee Enterprise Mobility Management10.1

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Mobility Management 10.1 Installation Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Planning your installation 7Considerations before installing McAfee EMM software . . . . . . . . . . . . . . . . . . . 7

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Mission-critical access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Notifying users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Help for users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

McAfee EMM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Server components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Configuration modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Enhanced security mode (dual servers) . . . . . . . . . . . . . . . . . . . . . 10Basic security mode (single server) . . . . . . . . . . . . . . . . . . . . . . . 11Simplified mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Requirements for Public Key Infrastructure (PKI) environments . . . . . . . . . . . . 13

2 Preparing for installation 15System settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Run the McAfee Deployment Helper . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Run the Deployment Helper for enhanced security installations . . . . . . . . . . . . 18Run the Deployment Helper for basic security installations . . . . . . . . . . . . . . 21Run the Deployment Helper for custom installations . . . . . . . . . . . . . . . . 24

3 Installing McAfee EMM software 29Install McAfee EMM software in enhanced security mode . . . . . . . . . . . . . . . . . . 29

Install the internal components . . . . . . . . . . . . . . . . . . . . . . . . . 30Install the external components . . . . . . . . . . . . . . . . . . . . . . . . . 31

Install McAfee EMM software in basic security mode . . . . . . . . . . . . . . . . . . . . 32Install McAfee EMM software in simplified mode . . . . . . . . . . . . . . . . . . . . . 34Customize your McAfee EMM installation . . . . . . . . . . . . . . . . . . . . . . . . 36

Installation settings for components . . . . . . . . . . . . . . . . . . . . . . . 37Install auxiliary components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Install the Download Manager File Installer for Windows Mobile support . . . . . . . . . 38Install the BlackBerry Enterprise Server (BES) Agent for BlackBerry support . . . . . . . 39

Troubleshoot certificate errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4 Provisioning user devices 43Overview of provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

McAfee Enterprise Mobility Management 10.1 Installation Guide 3

Provision iOS devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Provision Android devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Provision Android devices using the McAfee EMM app . . . . . . . . . . . . . . . . 44Configure email for Android devices . . . . . . . . . . . . . . . . . . . . . . . 45

Provision Windows Phone 7 devices . . . . . . . . . . . . . . . . . . . . . . . . . . 46Provision Windows Mobile devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5 Modifying McAfee EMM software 47Upgrade McAfee EMM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Migrate McAfee EMM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Uninstall McAfee EMM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

A Specialized installation tasks 51Create an SRV record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Export your encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51SQL database permissions for installation . . . . . . . . . . . . . . . . . . . . . . . . 52

B Language support for McAfee EMM 53

Index 55

Contents


Preface

This guide provides the information you need to install your McAfee product.

Contents

About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

1 Planning your installation

Before you begin, plan the deployment of your McAfee® EMM™ software, learn about the softwarecomponents, decide on a configuration model, and verify that your system meets minimumrequirements.

Contents

Considerations before installing McAfee EMM software McAfee EMM components Configuration modes Installation requirements

Considerations before installing McAfee EMM softwareWhen you install any software that updates the way users interact with the network, it is important toplan for the installation and deployment of that software.

SecurityUse these questions to help you identify the type of security policies you want to enforce.

• What types of devices are used in your network? A survey of device types, manufacturers, models,and operating systems might help you target your security policies.

• Which hardware or software restrictions apply for user devices? For example, you might want todisable cameras or Wi-Fi.

• Which applications should be blacklisted? EMM treats user devices with blacklisted applications asout-of-compliance.

• Which authentication settings are enforced on devices? For example, can users use passwords orPIN codes? What is the minimum length for each type of authentication? Are users required tochange their password on a regular basis?

• What happens when authentication fails? For example, how many attempts should a user have toenter the correct password? Should the device be wiped after a specified number of failed attempts?

Mission-critical access Determine which type of access is mission-critical to your organization.

In some organizations, access to email and other data from a mobile device might be important; inothers it might be critical. If your organization considers use of ActiveSync-enabled devicesmission-critical, you must consider all subsystems in the McAfee EMM software to be mission-critical.

1


In this situation, use hardware redundancy options such as:

• Network load balancing (NLB)

• Redundant Array of Independent Disks (RAID)

• Clustering options built into the operating system and applications

• SQL replication

Notifying usersBefore deploying McAfee EMM software, consider how to notify users of provisioning requirements andplanned changes to their mobile devices.

The User Notifications screen allows you to bulk-authorize many users at once and automatically sendthem emails or text messages with provisioning details. You can bulk-authorize users based on LDAPgroups or by importing a list in comma-separated value (CSV) format.

For Windows Mobile devices, the initial installation and configuration requires users to enter a defaultpassword on their device. After the McAfee EMM software is deployed, users can't access their devicesuntil they've provided the default password. To prevent temporarily limiting access to Windows Mobiledevices, plan how to provide the default password to users in advance.

In addition to providing users with provisioning instructions, be sure to tell them how use of theirmobile devices is changing. In many cases, the only difference is that users need to enter a passwordor PIN when they turn on their device or when the device locks after a timeout period. In other cases,your security policy might limit access to applications.

Help for usersConsider how you want users to get help if they have trouble during or after provisioning.

Some help tasks, like wiping a device, can be completed by the user through the McAfee EMM Portal.Other tasks can be completed only by an administrator through the McAfee EMM Helpdesk. Make sureyou have a plan in place to provide help to users.

1 Planning your installationConsiderations before installing McAfee EMM software


McAfee EMM componentsThe McAfee EMM system is based on a client-server architecture with server-side and client-sidecomponents.

Server componentsThese components are installed on enterprise servers and are used in the administration of the McAfeeEMM system.

EMM servercomponent

Description

Hub The McAfee EMM Hub (Hub) manages communication between McAfee EMMcomponents. It allows secure communication across the firewall (between the DMZand the internal network) and eliminates the need to open custom firewall ports.SSL communication is established between the components. Using a custominstallation, the Hub can also communicate with the DMZ components through anHTTP (non-secure) connection.

Console The McAfee EMM Console (Console) is the application that manages the McAfeeEMM system. It is an Internet Information Services (IIS) application accessiblewith Internet Explorer or Firefox web browsers with Microsoft Silverlight installed.Through the Console, administrative users can configure system settings, changepolicies, manage devices and users, administer McAfee EMM roles, performHelpdesk functions, and view reports.

Portal The McAfee EMM Portal (Portal) is an Internet-facing component that allows deviceusers to initiate requests for software downloads, and to perform limited Helpdeskfunctions. Users access the Portal from a browser on a PC or mobile device. ThePortal typically resides on a McAfee EMM server installed in the DMZ.

DeviceManagementGateway

The McAfee Device Management Gateway (DMG) is an Internet-facing componentthat manages the server-side communication with legacy Windows Mobile devices.It controls policy, software, and configuration updates for mobile devices.

ActiveSync Proxyand ComplianceFilter

The McAfee ActiveSync Proxy is an Internet-facing component that proxiesActiveSync traffic to the email servers. It is an IIS application that resides in theDMZ and enables McAfee EMM to control access to enterprise resources on theDMZ server before reaching the internal network.

The McAfee Compliance Filter is installed on the filter/proxy server that is placedin the DMZ (or for basic security deployments, on the internal McAfee EMM server).

Push Notifier The McAfee Push Notifier is an Internet-facing component that sends pushnotifications to mobile devices. The Push Notifier is a required component that isusually installed in the DMZ so it can communicate with Apple and Android pushnotification services.

BES Agent(optional)

The McAfee BES Agent is an optional component that synchronizes the BlackBerryEnterprise Server to McAfee EMM and performs select device actions. Werecommend installing the BES Agent on the internal server.

PKI Agent(optional)

The McAfee PKI Agent is an optional component that dynamically retrievescertificates from a Microsoft certificate authority in PKI environments. It is usuallyinstalled on an internal server.

Planning your installationMcAfee EMM components 1


Client componentsThese components are installed on mobile devices that are registered on the enterprise network. Theyhelp provision user devices and communicate with the server.

EMM Client Components Description

McAfee EMM app

(iOS devices)

McAfee EMM is a free iOS app that enables easy provisioning by theuser, and allows push notifications to deliver profile and security policychanges.

McAfee EMM app

(Android devices)

McAfee EMM is a free Android app that enables easy provisioning by theuser, and allows push notifications to deliver profile and security policychanges.

McAfee EMM SecureContainer app

(Android devices)

The McAfee EMM Secure Container app is a free app, currently forAndroid only, that sandboxes enterprise email, contacts, and calendars.

Download Manager

(Windows Mobile)

The Download Manager is the communication module installed onWindows Mobile devices. It provides device-side communication with theMcAfee EMM server.

PDA Secure

(Windows Mobile)

PDA Secure is the security module installed on Windows Mobile devices.It enforces security based on policies that are created in the McAfeeEMM Console. Except for the password screen, there is no user interfacefor PDA Secure, and it can't be modified by the user. An administrativeunlock code is required to remove PDA Secure from the device.

Configuration modesThe specific configuration of your McAfee EMM software depends on the unique needs of yourenvironment.

The most common configurations are:

• Enhanced security mode on dual servers (recommended)

• Basic security mode on a single server

• Simplified mode (for use on a trial basis only)

Enhanced security mode (dual servers) Enhanced security mode is the recommended configuration for McAfee EMM software. It providesmaximum security and verifies web traffic before it enters your private network.

In an enhanced security installation, you authorize users based on their Active Directory or Dominocredentials.

The enhanced security configuration installs McAfee EMM on two servers. The McAfee EMM Portal,DMG, ActiveSync Proxy, Compliance Filter, and Push Notifier are installed on an Internet-facing IISserver in the DMZ. The McAfee EMM Hub remains in the private subnet and runs the remaining servercomponents.

Communication from the Internet to the DMZ is restricted to HTTPS on port 443. Traffic betweenMcAfee servers is also an SSL connection. Using a custom installation, the Hub communicates with theDMZ components using a non-secure HTTP connection.

1 Planning your installationConfiguration modes


Basic security mode (single server) Basic security mode is appropriate for smaller organizations without complex security requirements, orfor trial installations.In a basic security installation, you authorize users based on their Active Directory or Domino credentials.

In basic security mode, all McAfee EMM IIS components are installed on a single server that isavailable to mobile devices. Inbound traffic is allowed from the Internet for HTTPS sessions on port 443.

The McAfee EMM/IIS server is positioned in the internal subnet so that it can access accountinformation in the authorization server and connect to the SQL server as needed.

Planning your installationConfiguration modes 1


Simplified mode Simplified mode is appropriate when you install McAfee EMM software on a trial basis.

Simplified deployments use ActiveSync Protocol for user authentication, so you don't have to integratewith an LDAP environment. However, you must add users manually or by uploading a file of authorizedusers.

The server where the McAfee EMM Hub is installed communicates with the SQL Server and theExchange server that is running ActiveSync.

1 Planning your installationConfiguration modes


Installation requirementsThis section describes the system requirements and settings necessary to install and run McAfee EMMsoftware.

System requirements Use this table to verify that your system meets minimum operating requirements.

Requirement Description

Hardware • 4 GB RAM

• Dual Core CPU

Operating system • Windows Server 2003 x86 or 64-bit with Service Pack 2 (Standard orEnterprise versions)

• Windows Server 2008 64-bit with Service Pack 2 (Standard or Enterpriseversions)

• Windows Server 2008 R2 64-bit with Service Pack 1 (Standard or Enterpriseversions)

Do not use Windows Server 2003 Service Pack 1 with SQL Express 2008.Installation fails with this configuration.

SQL Server Microsoft SQL Server 2005, 2008, or 2008 R2

SQL Server 2008 R2 Express is available with the McAfee EMM installer.

Supported mobiledevices

For a list of currently supported mobile devices, contact McAfee TechnicalSupport or Sales.

Browsers • Internet Explorer

• Firefox

Microsoft Silverlight 3.0 or later must be installed on the browser.

Requirements for Public Key Infrastructure (PKI) environmentsWhen installing McAfee EMM in a PKI environment using Enrollment Agents and certificate authorityconnections, the following requirements apply.

• Customized installation is required to install the Enrollment Agent. The McAfee EMM DeploymentHelper guides you through obtaining your Enrollment Agent certificate.

• Installation in a PKI environment is supported only with Microsoft certificate authority running onWindows 2008 64-bit with Service Pack 1 or Windows 2008 R2 with Service Pack 1. Certificateauthority can be standalone or enterprise, but it must belong to an AD domain.

• Your Enrollment Agent installation account must be set to "local" on the system where theEnrollment Agent is installed.

Planning your installationInstallation requirements 1


1 Planning your installationInstallation requirements


2 Preparing for installation

Before installing McAfee EMM, you must configure your system settings. The McAfee EMM DeploymentHelper walks you through preparing your system and obtaining required certifications.

Contents

System settings Run the McAfee Deployment Helper

System settings Before installing McAfee EMM software, use this table to verify your system settings. The McAfee EMMDeployment Helper walks you through many of these prerequisites.

Requirement Verifiable byDeploymentHelper?

Description

ExternalDomain forMcAfee Services

No McAfee Services is accessible from the Internet using public domainregistration.

SSL Certificate Yes You have an SSL certificate that matches the public DNS name andis from a recognized certificate authority like Verisign or Go Daddy.

Each time the SSL certificate is updated, all iOS devices arere-provisioned. Device users receive a confirmation to re-installthe EMM profile. To avoid frequent provisioning, we suggestgetting a multi-year SSL certificate. Don't use a trial certificate.

MDM Certificate Yes You have a valid MDM certificate if you want to use the MDM featureon iOS devices.

You can install McAfee EMM software with MDM disabled, but doingso disables the following features for devices running iOS versions 4and later:

• Policy updates without user intervention

• Remote lock and passcode unlock

• Syncing for devices provisioned with the EMM Portal

• Cleaner selective wipe

• Uninstall without user intervention

• Ability to collect device details, including phone numbers,installed apps and profiles, certificates, restrictions, policycompliance, IMEI number, and WAPMACA address

2



Description

Router/FirewallAccess Rules

Yes (internalports only)

For all installations:

• Inbound traffic on Port 443 to the McAfee EMM servers is allowed.

• Traffic on Port 443 from the McAfee EMM server to the emailservers providing ActiveSync is allowed.

• The McAfee EMM Hub connects to the LDAP server forauthentication and to the remote SQL server where the EMMDatabase is installed.

For enhanced installations:

• Traffic on Port 443 or 80 from the McAfee EMM DMZ Server toPrivate LAN EMM internal server is allowed.

For iOS push notifications:

• Outbound connection from the external McAfee EMM Server to"Apple Push Notification Service" at gateway.push.apple.com onTCP port 2195 is allowed.

• Outbound connection from the external McAfee EMM server to"Apple Push Feedback Service" at feedback.push.apple.com onTCP port 2196 is allowed.

For specific port and configuration details for iOS devices in abusiness environment, see http://images.apple.com/iphone/business/docs/iPhone_IMAP.pdf.

For Android push notifications:

• The McAfee EMM Push Notifier connects to the Android C2DMservice on port 443.

Device Wi-FiAccess Rules

No For iOS devices:

• Port 5223 outbound from the device is open. If the devices are ona 3G network, the port doesn't need to be opened.

For Android devices:

• Port 5228 outbound from the device is open.

2 Preparing for installationSystem settings


http://images.apple.com/iphone/business/docs/iPhone_IMAP.pdf

http://images.apple.com/iphone/business/docs/iPhone_IMAP.pdf


Description

InstallationAccount

Yes The Windows/SQL account used for installation has permission tocreate a database on the database server.

• If a database already exists and was created by a system admin,the only permission required is CONNECT SQL. The logoncredentials must be mapped to the database owner or to a userassigned appropriate permissions.

• If you can't give CREATE DATABASE permission to the installationaccount, you can create an empty database with the permissionsCONNECT SQL and CREATE ANY DATABASE.

UserAuthentication

Yes For all installations:

• You know the fully qualified domain name or IP address of theserver used for authentication. For AD authentication, a legacy(NT) name is also required.

• ActiveSync is fully functional and the Exchange or DominoTraveler server is configured for ActiveSync.

For enhanced and basic installations:

• Your Active Directory service account has "local administrator"privileges on the server where the McAfee EMM Hub is installed,and has read-only access to Active Directory or Domino LDAPservices.

For simplified installations:

• You have access to a non-administrator Exchange account (withemail access) to test your ActiveSync connection. Don't use adomain administrator account as the test account. Domainadministrator accounts have built-in restrictions that preventauthentication using the ActiveSync channel.

See also SQL database permissions for installation on page 52

Preparing for installationSystem settings 2


Run the McAfee Deployment HelperThe Deployment Helper verifies the McAfee EMM prerequisites and assists in preparing yourenvironment for McAfee EMM installation. The Deployment Helper is available on the McAfee downloadsite.

Tasks

• Run the Deployment Helper for enhanced security installations on page 18In an enhanced security installation, McAfee EMM is installed on two servers, so you mustrun the Deployment Helper on both servers. To prepare for an enhanced securityinstallation, complete these tasks.

• Run the Deployment Helper for basic security installations on page 21The Deployment Helper walks you through preparing for basic installation by obtainingMDM and portal certificates, specifying your LDAP and ActiveSync servers, and creatingyour McAfee EMM Database.

• Run the Deployment Helper for custom installations on page 24The Deployment Helper walks you through preparing for custom installation, includinginstallation in a PKI environment, by specifying the databases to use and obtaining requiredcertification.

Run the Deployment Helper for enhanced security installationsIn an enhanced security installation, McAfee EMM is installed on two servers, so you must run theDeployment Helper on both servers. To prepare for an enhanced security installation, complete thesetasks.

Tasks

• Run the Deployment Helper on the internal server on page 18The Deployment Helper walks you through preparing your internal server for enhancedsecurity installation by specifying your LDAP server and creating your McAfee EMMDatabase.

• Run the Deployment Helper on the external server on page 19The Deployment Helper walks you through preparing your external server for enhancedsecurity installation by obtaining MDM and portal certificates, specifying your ActiveSyncserver, and setting the location of your McAfee EMM Hub.

Run the Deployment Helper on the internal serverThe Deployment Helper walks you through preparing your internal server for enhanced securityinstallation by specifying your LDAP server and creating your McAfee EMM Database.

Task

1 Log on to a Windows server.

2 Locate and execute the installer file DeploymentHelperInstall.msi.

3 On the Agreement screen, accept the terms of the license agreement, then click Install.

4 When the installation is complete, select Start | All Programs | McAfee EMM | EMM Deployment Helper.

5 On the Before You Begin screen, review the instructions, then click Next.

6 On the Specify Setup Type screen, select Enhanced Security Model - Internal Server, then click Next.

7 On the Introduction to Dual Server Installations (Internal Server) screen, review the information, then click Next.

8 On the Specify Database Server screen, complete the fields, then click Next.

2 Preparing for installationRun the McAfee Deployment Helper


Field Value

Use SQL Express Select to install SQL Express on the local system and create the McAfee EMMDatabase.

Server Name Host name or IP address of the SQL server for your EMM Database.

Authentication • Windows Authentication (recommended)

• SQL Authentication

Username User name for the connection to the EMM Database server.

Password Password for the connection to the EMM Database server.

Database Name of the database containing the McAfee EMM schema and data.

9 On the Specify LDAP Server screen, complete the fields, then click Next.

Field Value

Authentication • Active Directory

• Domino

Domain FQDN Fully qualified domain name of the server used for authentication.

Domain DN Domain distinguished name. If the server is in the current domain, thisfield is automatically populated when Domain FQDN is completed.

Domain Name Domain name of the LDAP server. This field is automatically populatedwhen Domain FQDN is completed.

Username User name for the connection to the directory server.

Password Password for the connection to the directory server.

External EMM Proxy ServerAddress

Fully qualified domain name of the McAfee EMM Proxy for externalconnectivity. This is the address of the EMM Proxy that devices connect tofor ActiveSync.

10 On the Confirm Installation Settings screen, review your settings (print, email, or save your info byclicking the link), then click Run Scan.

When the scan is completed, results are shown. If any tasks are marked failed, review theinformation, then click the Launch KB Assistance link to help resolve any issues.

Run the Deployment Helper on the external serverThe Deployment Helper walks you through preparing your external server for enhanced securityinstallation by obtaining MDM and portal certificates, specifying your ActiveSync server, and settingthe location of your McAfee EMM Hub.

Before you begin

Generate an MDM certificate according to the instructions in KB73382.

Task




4 When installation is complete, select Start | All Programs | McAfee EMM | EMM Deployment Helper.


Preparing for installationRun the McAfee Deployment Helper 2


https://kc.mcafee.com/corporate/index?page=content&id=KB73382&actp=search&viewlocale=en_US&searchid=1330474936769

6 On the Specify Setup Type screen, select Enhanced Security Model - External Server, then click Next.

7 On the Introduction to Dual Server Installations (External Server) screen, review the information, then click Next.

8 On the Specify Hub Server screen, enter the server address for the McAfee EMM Hub, then click Next.

9 On the Provide an MDM Certificate screen, select Use Existing Certificate.

10 On the Specify an MDM Certificate screen in the File Path field, browse to select the .p12 file. Enter thepassword for the certificate, verify the Topic (this should match the MDM topic associated with yourcertificate), then click Next.

11 On the Provide a Portal Certificate screen, select one of these options:

If you wantto...

Complete these steps...

Create New SSLCertificate

On the Generate an SSL Certificate Request screen, complete the fields under CertificateRequest, then click Create to create the certificate request file.

• Common Name — Common name for the certificate.

• Organization — Name of your organization.

• Organization Unit — Unit within your organization that is requesting the certificate.

• City/Locality — Unabbreviated city of the organization.

• State/Province — Unabbreviated state name or province of the organization.

• Country/Region — Country or region of the organization.

• Certificate Request File Path — Browse to select the location to store the certificaterequest.

Verify the certificate request with a certificate authority. This is done separatelyfrom the Deployment Helper.

Once the certificate request is verified, complete the fields under Certificate Response,then click Export to export the certificate in .pfx format. Click Next to continue.

• Certificate File Path — Browse to select the valid .cer or .pem certificate file.

• Certificate Password —Password for the certificate.

On the Specify a Portal Certificate screen, complete the fields, then click Next.

• File Path — Browse to select the exported .pfx file.

• Password — Password for the certificate.

The user who creates the certificate must export the corresponding certificateresponse file. The private key created as part of the certificate request is stored in asecure Windows key container under that user's identity. Exporting the certificateresponse must be done on the same system where the certificate request wasgenerated.

Use ExistingSSL Certificate

On the Specify a Portal Certificate screen, complete the fields, then click Next.• File Path — Browse to select the exported .pfx file.




12 On the Specify ActiveSync Server screen, complete the fields, then click Next.

Field Value

Server Address Your mail server's ActiveSync server address. For a Domino server, enter<servername>/servlet/traveler.

Domain Name Domain name of the server for authentication.

Username User name in the domain for validating the ActiveSync connection.

Password Password for the user name account.



Run the Deployment Helper for basic security installations The Deployment Helper walks you through preparing for basic installation by obtaining MDM and portalcertificates, specifying your LDAP and ActiveSync servers, and creating your McAfee EMM Database.

Before you begin

Generate an MDM certificate according to the instructions in KB73382.

Task

1 Log on to a Windows Server.





6 On the Specify Setup Type screen, select Basic Security Model - Single Server, then click Next.

7 On the Specify Database Server screen, complete the fields, then click Next.

Field Value

Use SQL Express Select to install SQL Express on the local system and create the McAfee EMMDatabase.

Server Name Host name or IP address of the SQL server to install the EMM Database.





Database Name of the database containing the McAfee EMM schema and data.

8 On the Specify LDAP Server screen, complete the fields, then click Next.




Field Value


• Domino








9 On the Provide an MDM Certificate screen, select Use Existing Certificate.

10 On the Specify an MDM Certificate screen in the File Path field, browse to select the .p12 file. Enter thepassword for the certificate, verify the Topic (this should match the MDM topic associated with yourcertificate), then click Next.

11 On the Provide a Portal Certificate screen, select one of these options:



If you wantto...











Verify the certificate request with a certificate authority. This is done separatelyfrom the Deployment Helper.



• Certificate Password — Password for the certificate.





Use ExistingSSL Certificate



12 On the Specify ActiveSync Server screen, complete the fields, then click Next.

Field Value

Server Address Your mail server's ActiveSync server address. For a Domino server, enter<servername>/servlet/traveler.








Run the Deployment Helper for custom installations The Deployment Helper walks you through preparing for custom installation, including installation in aPKI environment, by specifying the databases to use and obtaining required certification.

Before you begin

If you want to enable MDM on your McAfee EMM system, generate an MDM certificateaccording to the instructions in KB73382.

For PKI installations, run the Deployment Helper on the system where you plan to install the EnrollmentAgent.

Task






6 On the Specify Setup Type screen, select Custom Installation, then click Next.

7 On the Select Components to Test screen, select the components you want to install, then click Next.

The installation screens appear for the components you selected.

8 Complete the settings screens for each component you selected in the previous step. SeePre-installation settings for components.


When the scan is completed, results are shown. If any tasks are marked failed, review theinformation provided. Click the Launch KB Assistance link to help resolve any issues.

Pre-installation settings for componentsUse these tables to complete the Deployment Helper's settings screens in a custom installation.

Table 2-1 Database settings

Field Value

Use SQL Express Select to install SQL Express on the local system and create the McAfee EMM Database.

Server Name Host name or IP address of the SQL server to install the EMM Database.





Database Name of the database for the McAfee EMM schema and data.




Table 2-2 LDAP settings

Field Value


• Domino










Table 2-3 Portal Certificate settings

If you wantto...











Verify the certificate request with a certificate authority. This is done separately fromthe Deployment Helper.








Use Existing SSLCertificate



Table 2-4 ActiveSync Server settings

Field Value

Server Address Your mail server's ActiveSync server address. For a Domino server, enter <servername>/servlet/traveler.






Table 2-5 PKI Agent settings

If you wantto...


Create SignerCertificateRequest

On the Generate a Signer Certificate Request screen, complete the fields, then click Create.• Common Name — Common name for the certificate.






• Email — Email address of the administrator making the request.

• Certificate Request File Path — Browse to select the location to store the certificate request.

GenerateSignerCertificate

On the Create a Signer Certificate screen, complete the fields, then click Create.• Certificate Request File Path — Browse to select the location for the signer certificate

request.


• CA Name — URL of the enrollment server, or the fully qualified domain name of thecertificate authority server and certificate authority name (common name asentered on the certificate), in the format <CA server>\<CA name>.

• Certificate Response File Path — Browse to select the location to store the certificaterequest.

Test DeviceCertificateCreation

On the Create a Device Certificate screen, complete the fields, then click Next.• Certificate Template — Certificate template name. For example, user.

• Subject Template — Certificate subject name. For example, CN=user.

• EKUs — Extended key usage object identifiers separated by commas. For example,1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.8.

• Server Name — Certificate authority server name.

• Signer Certificate — Select from the list of signer certificates returned by thecertificate authority.

Table 2-6 BlackBerry server settings

Field Value

Server Address BES server address.

Authentication Authentication method.

Username User name for validating the BES server.


Domain Domain of the authentication account for the BES server.



3 Installing McAfee EMM software

The installation process depends on your planned configuration.

Contents

Install McAfee EMM software in enhanced security mode Install McAfee EMM software in basic security mode Install McAfee EMM software in simplified mode Customize your McAfee EMM installation Install auxiliary components Troubleshoot certificate errors

Install McAfee EMM software in enhanced security modeInstall McAfee EMM software in enhanced security mode for maximum security. This configurationinstalls the McAfee server-side components on dual servers. For an enhanced security installation,complete these tasks.

Before you begin

Run the McAfee Deployment Helper for enhanced security mode.

Tasks

• Install the internal components on page 30Install the McAfee EMM Hub, Console, and Database on the internal server. This is the firststep to install McAfee EMM in enhanced security mode.

• Install the external components on page 31Install the McAfee EMM Portal, DMG, and Proxy on the external server. This is the secondstep to installing McAfee EMM in enhanced security mode.

3


Install the internal componentsInstall the McAfee EMM Hub, Console, and Database on the internal server. This is the first step toinstall McAfee EMM in enhanced security mode.

Task

1 Log on to the server where you want to install the internal components.

2 Locate and right-click the installer file Setup.exe, then select Run as Administrator to open the McAfeeEMM Platform Installation Launcher.

• If the installer doesn't detect the Windows installer or .NET version, you are prompted to installthem now. Click Continue to install.

• If prompted to reboot the server, click Yes. The installer continues automatically when the rebootis complete.

3 On the Agreement screen, accept the terms of the license agreement, then click Next.

4 On the Options screen, select Dual Server (Internal) to install the Hub, Console, and Database on thecurrent server.

5 On the Database Settings screen, complete the fields, then click Next.

If the installer does not detect SQL Express, the field Install SQL Express 2008 R2 appears and all otherfields, except Password, are disabled. Complete the Password field and follow the prompts to install SQLExpress, or deselect the installation option and complete the fields.

Field Value

Server Name Host name where you want to install the McAfee EMM Database.



Login User name for the connection to the EMM Database server.


Database Name of the database that contains your McAfee EMM schema and data.

6 On the LDAP Settings screen, complete the fields, then click Next.

Your entries on this screen depend on whether you select user authentication based on ActiveDirectory or Domino credentials.

Field Value


• Domino

Domain FQDN Fully qualified domain name of the server for authentication.

Domain DN Directory service name to be used for authentication:

• Active Directory — This field is populated when Domain FQDN is completed.

• Domino — Leave this field blank.

Domain Name The domain name of the server to be used for authentication:


• Domino — Domain name of the server for authentication.

3 Installing McAfee EMM softwareInstall McAfee EMM software in enhanced security mode


Field Value



External EMM ProxyServer Address

Fully qualified domain name of the McAfee EMM Proxy for externalconnectivity. This is the address of the EMM Proxy that devices connect to forActiveSync.

7 On the Summary screen, review the information, then click Install.

When the installation is complete, details are automatically saved to an install log located at C:\Program Files\McAfee\EMM Platform\Install_ddmmccyy_hhmmss.

8 Click Finish to close the installer.

Install the external componentsInstall the McAfee EMM Portal, DMG, and Proxy on the external server. This is the second step toinstalling McAfee EMM in enhanced security mode.

Before you begin

Install the McAfee EMM Hub, Console, and Database on the internal server.

Task

1 Log on to the server where you want to install the external components.





4 On the Options screen, click Dual Server (External) to install the McAfee EMM Portal, DMG, and Proxy.

5 On the Certificate Settings screen, complete the fields, then click Next.

Field Value

File Path Select your public security certificate.

Password Password for your public security certificate.

Certificate Option • User-defined — If your MDM certificate is available, select this option and completethe File Path and Password fields. MDM Topic is populated automatically.

• None – MDM Disabled — The MDM feature is disabled and iOS devices versions 4 andlater are treated as legacy devices. This doesn't affect MDM/C2DM-supportedAndroid devices.

Installing McAfee EMM softwareInstall McAfee EMM software in enhanced security mode 3


6 On the DMZ Component Settings screen in the ActiveSync Server Address field, enter the IP address or FQDNof the ActiveSync server that the McAfee EMM Proxy connects to for email. Verify the ActiveSyncserver connection using these steps:

a Click the green checkmark next to the ActiveSync Server address. The ActiveSync Server Verificationscreen appears with the Username, Password, and Domain fields automatically populated with thecredentials you specified on the LDAP Settings screen.

b Click Verify. If the connection was successful, the message "Successfully connected to [server]"appears.

If the verification was unsuccessful, do the following, based on the error code:

Error Code 500 Make sure that the Exchange server is operational.

Error Code 403 Make sure that the user credentials are valid, that the user has a mailboxconfigured in the Exchange server, and that the Exchange server is accessiblefrom the EMM server.

c Click OK to return to the DMZ Component Settings screen, then click Next.




Install McAfee EMM software in basic security modeUse a basic security installation if your organization doesn't have complex security requirements. Thisconfiguration installs the McAfee EMM components on a single server.

Before you begin

Run the McAfee Deployment Helper for basic security installations.

Task






4 On the Options screen, click Single Server.


If the installer doesn't detect SQL Express, the field Install SQL Express 2008 R2 appears, and all otherfields except Password are disabled. Complete the Password field and follow the prompts to install SQLExpress, or deselect the installation option and complete the fields.

3 Installing McAfee EMM softwareInstall McAfee EMM software in basic security mode


Field Value








Your entries on this screen depend on whether you select user authentication based on ActiveDirectory or Domino credentials.

Field Value


• Domino










External EMM ProxyServer Address



Field Value





Installing McAfee EMM softwareInstall McAfee EMM software in basic security mode 3



a Click the green checkmark next to the ActiveSync Server address. The ActiveSync Server Verificationscreen appears with the Username, Password, and Domain fields auto-populated from the credentialsyou specified on the LDAP Settings screen.




Error Code 403 Make sure that the user credentials are valid, that the user has a mailboxconfigured in the Exchange server, and that the Exchange server is reachablefrom the EMM server.





Install McAfee EMM software in simplified modeUse a simplified deployment if you are installing McAfee EMM software on a trial basis.

Task






4 On the Options screen, click Single Server.


If the installer doesn't detect SQL Express, the field Install SQL Express 2008 R2 appears and all otherfields except Password are disabled. Complete the Password field and follow the prompts to install SQLExpress, or deselect the installation option and complete the fields.

Field Value




3 Installing McAfee EMM softwareInstall McAfee EMM software in simplified mode


Field Value



Database Name of the Database that contains your McAfee EMM schema and data.


Field Value

Authentication ActiveSync Protocol

ActiveSync Server ActiveSync server used for authentication. This server tests that usershave an email-enabled Exchange account.

Domain Name Domain name of the ActiveSync server.

Verification Username User name to connect to the directory server.

Verification Password Password to connect to the directory server.


Fully qualified domain name of the McAfee EMM Proxy for externalconnectivity. This is the address of the EMM proxy that devices connectto for ActiveSync.


Field Value




• None - MDM Disabled — The MDM feature is disabled and iOS devices versions 4 andlater are treated as legacy devices. This doesn't affect MDM/C2DM-supportedAndroid devices.


a Click the green checkmark next to the ActiveSync Server address. The ActiveSync Server Verificationscreen appears with the Username, Password, and Domain fields automatically populated from thecredentials you specified on the LDAP Settings screen.




Error Code 403 Make sure that the user credentials are valid, that user has a mailboxconfigured in exchange server, and that the exchange server is reachable fromthe EMM server.


Installing McAfee EMM softwareInstall McAfee EMM software in simplified mode 3





Customize your McAfee EMM installationUse a customized installation if you have unique configuration requirements, including operating in aPKI environment.

Before you begin

If you are customizing your installation for an HA environment, install the McAfee EMM Hubon a single server, then export an encryption key and use it to install additionalcomponents on a second server. You can then pair your systems using load balancing asappropriate for your setup.

Task


For a PKI installation, you must install on an internal server.





4 On the Options screen, click Custom Installation.

5 On the Components screen, select the components you want to install, complete the fields, then clickNext.

For a PKI installation, select Database, PKI Agent, Console, and Hub.

Field Value

Installation Website Website where the web service is installed.

Internal Connectivity Connection method used by McAfee web services to communicate with theMcAfee EMM Hub.

Encryption Key • Default Key

• Custom Key — For use when installing in an HA environment.

Hub Server Address(optional)

This field appears only if you didn't select to install the McAfee EMM Hub.Enter the address of the Hub, including the port number. For example,servername:portnumber.

6 Complete the settings screens for each component you selected in the previous step. SeeInstallation settings for components.

3 Installing McAfee EMM softwareCustomize your McAfee EMM installation




8 Click Finish and run the installer on additional servers as needed.

To complete a PKI installation, next install the McAfee EMM Portal, DMG, and Proxy on an externalserver.

See also Export your encryption key on page 51

Installation settings for componentsUse these tables to complete the settings screens in a customized installation.

Table 3-1 Database settings

Field Value

Server name Host name where you want to install the McAfee EMM Database.






Table 3-2 LDAP settings

Field Value


• Domino







• Domino — Enter the domain name of the server for authentication.

Username User name to connect to the directory service.

Password Password to connect to the directory service.



Installing McAfee EMM softwareCustomize your McAfee EMM installation 3


Table 3-3 Portal Certificate settings

Field Value



Certificate Option • User-defined — If your MDM certificate is available, select this option and complete theFile Path and Password fields. MDM Topic is populated automatically.


Table 3-4 PKI Agent settings

Field Value

User User name for the connection to the Enrollment Agent service account.

Password Password for the connection to the Enrollment Agent.

Domain Domain name of the Enrollment Agent.

CA Name Fully qualified domain name of the certificate authority server, in the format <CAserver>\<CA name>.

Signer Certificate Select the Enrollment Agent certificate.

Install auxiliary componentsInstall auxiliary components to manage the specific types of mobile devices in use on your network.

Tasks

• Install the Download Manager File Installer for Windows Mobile support on page 38Install the McAfee EMM Download Manager installer if your organization uses WindowsMobile devices. The Download Manager can be added to any installation configuration.

• Install the BlackBerry Enterprise Server (BES) Agent for BlackBerry support on page 39Install the BES Agent if your organization uses BlackBerry devices. A BES Agent can beadded to any installation configuration.

Install the Download Manager File Installer for Windows MobilesupportInstall the McAfee EMM Download Manager installer if your organization uses Windows Mobile devices.The Download Manager can be added to any installation configuration.

Task

1 Log on to the server where you want to install the Download Manager.

2 Locate and right-click the file TDDMFilesSetup.exe, then select Run as Administrator.

3 When prompted by the McAfee Files Setup InstallSheild Wizard, click Next.


5 On the Database Server screen, complete the fields, then click Next.

3 Installing McAfee EMM softwareInstall auxiliary components


Field Value

Database Server Database server where the McAfee EMM Database was installed.

Connect Using • Windows Authentication (recommended)

• SQL Authentication — You are prompted to enter the Login ID and Password for theconnection to the database.

6 On the Select Database screen, select the name of the McAfee EMM Database, then click Next.

7 On the Download Manager File Configuration screen, complete the fields, then click Next.

Field Value

Device Management Gatewaylocation

URL of the server where the DMG is located. Don't enter the protocol.

SSL Select to use SSL communication.

Port Port available for HTTPS sessions on the server.

Domain (optional) Name of the domain that authenticates users. If you are using multipledomains, leave this field blank.

8 Click Install.

When the program is installed, the Install Wizard Complete screen appears.


Install the BlackBerry Enterprise Server (BES) Agent forBlackBerry supportInstall the BES Agent if your organization uses BlackBerry devices. A BES Agent can be added to anyinstallation configuration.

If the BES server uses multiple authentication servers, they all must be added to McAfee EMM.

When the BES Agent is installed, it immediately begins communicating with the authentication servers.If you are using multiple authentication servers, you must install the McAfee EMM software and allauthentication servers from the Console (System Settings | Authorization Servers) before installing the BESAgent. You can install the BES Agent on the McAfee internal server or the DMZ server.

Task

1 Log on to the server where you want to install the BES Agent.






Installing McAfee EMM softwareInstall auxiliary components 3


5 On the Components screen, select BES Agent, complete the fields, then click Next.

Field Value

Installation Website Website where the web service is installed.

Internal Connectivity Connection method used by McAfee web services to communicate with theMcAfee EMM Hub.

Encryption Key Default Key

6 On the BES Agent Settings screen, complete the fields, then click Next.

Field Value

BlackBerry Server BES server address.

Data Retrieval Frequency (h) Frequency in hours that the BES server is re-queried for device data.

Authentication User account used to authenticate to the BES server.

Username User name of the authentication account for the BES server.

Password Password of the authentication account for the BES server.

Domain Domain of the authentication account for the BES server.




Troubleshoot certificate errors If you encounter errors importing your portal certificate or Enrollment Agent certificate duringinstallation, check for the following conditions and fix them before continuing.

Portal certificate errors

• The password was incorrect.

• The certificate file is invalid, does not exist, or is empty.

• The certificate chain in the certificate file does not contain the necessary issuers.

• The certificate's validity period is invalid.

• None of the certificates in the certificate chain are marked as certificate authority certificates.

• There is no certificate chain in the certificate file.

• An unexpected error occurred when determining the validity of the certificate.

Enrollment Agent certificate errors for PKI environments

• Look for errors in the EMM server event log.

• Look for failed requests listed on the certificate authority server and find the request that failed.The certificate authority log might have more details than the EMM log about why the certificaterequest failed.

3 Installing McAfee EMM softwareTroubleshoot certificate errors


• In the EMM certificate configuration, make sure you use the template name and not the templatedisplay name. The name displayed in the template list is the display name. Check the templateproperties for the name. For example, the template name for the "Web Server" template is"WebServer" (no spaces).

• If you get errors about issuance requirements:

• Select the Issuance requirements tab in the template properties.

• Deselect CA cert manager approval.

• Select This number of authorized signatures. The number next to it should be 1.

• Select policy type application policy, then in the application policy drop-down list, select certificaterequest agent.

Installing McAfee EMM softwareTroubleshoot certificate errors 3


3 Installing McAfee EMM softwareTroubleshoot certificate errors


4 Provisioning user devices

After installing the McAfee EMM software on your servers, users can provision their mobile devices toyour network with the system's client-side components, including the McAfee EMM app and SecureContainer.

Contents

Overview of provisioning Provision iOS devices Provision Android devices Provision Windows Phone 7 devices Provision Windows Mobile devices

Overview of provisioningYou must provision the device from the device itself. Provisioning methods vary by device.

You can provision devices using these methods:

• iOS devices — Use the McAfee EMM app.

• Androids — Use the McAfee EMM app. Some devices require manual email configuration usingExchange ActiveSync.

• Windows Phone 7 — Configure email using Exchange ActiveSync.

• Windows Mobile — Use the McAfee EMM Portal.

To validate credentials, the McAfee EMM server needs details of the Active Directory, Domino directory,or ActiveSync server. If your system specifies authorized users, the user must be on the authorizedusers list. For details on authorization servers and authorized users, see the McAfee EMM ProductGuide.

Prior to provisioning, do the following:

1 Verify that the date and time on the device are set accurately.

2 Update your device catalog. For details on adding the device catalog, see the McAfee EMM ProductGuide.

3 If you want the McAfee EMM app to automatically detect the EMM Portal, create an SRV record.

See also Create an SRV record on page 51

4


Provision iOS devicesUse the McAfee EMM app to provision your iOS device. You can do this with or without a provisioningtoken, or one-time password, set by the administrator.

Task

1 Download the McAfee EMM app from the Apple App Store.

2 Launch the McAfee EMM app, then click OK to allow the app to use your current location.

If corporate policy blocks jailbroken devices, location must be turned on to avoid disruption in emailservice. Your location is not stored in any database, nor is it made available to the company.

3 Enter your email address and password, then click Sign In.

a (Optional) If your device doesn't automatically detect the EMM server, enter the server addressprovided by your administrator, then click Sign In.

b (Optional) If your administrator set a temporary password, on the Provisioning Token screen, enterthe password, then click OK.

4 On the User Agreement screen, click Accept.

5 On the Install Profile screen, click Install, then confirm by clicking Install Now.

If the device has a passcode, the Enter Passcode screen appears. Enter your passcode, then click Done.

6 Click Install to allow your server administrator to remotely manage your device.

7 On the Profile Installed screen, click Done.

Provision Android devicesUse the McAfee EMM app to provision your Android device. The app walks you through installing theSecure Container. If you don't install the Secure Container, most Android devices require manual emailconfiguration using Exchange ActiveSync.

Tasks

• Provision Android devices using the McAfee EMM app on page 44Use the McAfee EMM app to provision your Android device. Provisioning with the appincludes installing the Secure Container to access enterprise email, contacts, andcalendars.

• Configure email for Android devices on page 45If you didn't install the Secure Container and your corporate email isn't listed in Applications |Settings | Accounts and sync after provisioning, use Exchange ActiveSync to manually configureemail.

Provision Android devices using the McAfee EMM appUse the McAfee EMM app to provision your Android device. Provisioning with the app includes installingthe Secure Container to access enterprise email, contacts, and calendars.

Task

1 Download the McAfee EMM app from the Android Market, then confirm the download.

2 Click Install.

4 Provisioning user devicesProvision iOS devices


3 Launch the McAfee EMM app.


a (Optional) If your device doesn't automatically detect the EMM server, enter the server addressprovided by your administrator, then click Sign In.

b (Optional) If your administrator set a temporary password, on the Provisioning Token screen, enterthe password, then click OK.

5 On the User Agreement screen, click Accept.

6 When the Activate Device Administrator screen appears, click Activate.

7 (Optional, Android 3.x and later) If your organization's security policies are set to allow onlyencrypted devices, you are redirected to your device's encryptions settings page. Click to encryptyour device.

8 On the EMM Screen unlock security screen, set a PIN or password for your device, then click OK.

9 On the Secure Container installation screen, you are prompted to do one of the following:

• If you are assigned to a policy that requires the Secure Container, click OK. You are taken to theAndroid Market to install Secure Container.

• If you are assigned to a policy that recommends the Secure Container, you have the option toinstall it. Click Yes or No. If you click Yes, you are taken to the Android Market to install SecureContainer.

10 (Optional) If you installed the Secure Container in the previous step, you are prompted to do thefollowing:

a Enter the password for your email account. Click OK, then enter your password.

b Create a Secure Container passcode. On the Setup Passcode screen, enter a passcode, thenre-enter to confirm.

Configure email for Android devicesIf you didn't install the Secure Container and your corporate email isn't listed in Applications | Settings |Accounts and sync after provisioning, use Exchange ActiveSync to manually configure email.

Task

1 Click Applications | Settings | Accounts and sync.

2 Click Add Account | Microsoft Exchange ActiveSync.

3 Follow the prompts to enter your email address, password, domain\user name, and proxy serveraddress, then click Done.

4 (Optional) If prompted, click OK to allow remote security administration.

Provisioning user devicesProvision Android devices 4


Provision Windows Phone 7 devicesUse Exchange ActiveSync to manually configure email on your Windows Phone 7.

Task

1 Select Settings | Email & Accounts | Add an Account.

2 Select Outlook.


The message "Your settings could not be found..." appears.

4 Enter the domain, then click Sign In.

The message "Your settings could not be found..." appears.

5 Click OK.

6 Click Advanced.

7 In the Server field, enter the server address of the EMM proxy, then click Sign In.

Provision Windows Mobile devicesUse the McAfee EMM Portal to provision your Windows Mobile device.

Task

1 Access the URL for the McAfee EMM Portal for your organization.

2 View the user agreement, then click Accept.

3 Enter your network user name, password, and domain, then click Log On.

4 On the Download page, click Provision My Device. The prompts to download the Download Manager varyby device. Confirm the download as prompts appear.

If you are prompted with the message "TDDM *****.cab. What would you like to do with thisfile?", click Open to continue the provisioning process. (If you click Save, the provisioning processstops.)

5 On the Download Manager screen, enter the user name, password, and domain (the domain might bepre-populated), then click Next.

6 When installation is complete and the device has automatically restarted, enter default password12345, then click Unlock.

7 On the Change Password screen, enter a new power-on password for the device, then click Done.

4 Provisioning user devicesProvision Windows Phone 7 devices


5 Modifying McAfee EMM software

The server-side components of the McAfee EMM software are easily upgraded, migrated, or uninstalled.

Contents

Upgrade McAfee EMM software Migrate McAfee EMM software Uninstall McAfee EMM software

Upgrade McAfee EMM softwareYou can upgrade your McAfee EMM software to version 10.1 from versions 9.6, 9.7.2, or 10.0. If youhave versions 9.7.0, 9.7.1, or a version earlier than 9.6, contact McAfee Technical Support for assistance.

• Upgrading an enhanced security installation (on dual servers) — Complete the upgradeprocedure first on the internal server that contains the McAfee EMM Hub, Console, and Database,then repeat the upgrade procedure on the external server containing the McAfee EMM DMG, Proxy,and Portal.

• Upgrading from a simplified deployment — Follow the procedure for migrating McAfee EMM.

Task

1 Log on to the server where the McAfee EMM Hub and Database are installed.

2 Locate and right-click the upgrade file Setup.exe, then select Run as Administrator to open the McAfeeEMM Platform Installation Launcher.

If prompted, click Yes to reboot the server. The installer continues automatically when the reboot iscomplete.


If you are running the upgrade installer for the second time, the field Use Configuration From PreviousInstallations appears on the Agreement screen. Select this option to keep the configurations from yourprevious upgrade.

4 On the Options screen, click Upgrade.

5 (Optional) If you're using Windows or SQL authentication, the Database Settings screen appears.Complete the fields, or verify the pre-populated values if you selected to use configuration fromyour previous installations, then click Next.

6 On the Summary screen, review the information, then click Upgrade.

7 Click Finish to close the upgrade installer.

5


8 (Optional) If you're upgrading from a version earlier than 10.0, you must upgrade the iOS5 profileon users' devices to enable iOS5 restrictions. To push the upgrade to iOS5 devices, do the following:

a Open the EMM Console.

b Click System Settings | General Settings.

c Check to enable Upgrade iOS MDM Access Rights.

d Click Save.

The EMM server sends iOS5 users a push notification to update their corporate device settings. Theuser is prompted to accept the user agreement and install the updated profile.

Migrate McAfee EMM softwareYou can migrate your McAfee EMM installation from a simplified deployment to basic security mode.Migration involves uninstalling and reinstalling the McAfee EMM Hub. You don't change the othercomponents of your McAfee EMM system.

Task

1 Log on to the server where the Hub is installed.

2 Manually uninstall the Hub from your McAfee EMM system.

a Select Start | Control Panel | Add or Remove Programs.

b Select McAfee EMM Hub, then click Uninstall.

3 Locate and right-click the file Setup.exe, then select Run as Administrator to open the McAfee EMMPlatform Installation Launcher.

If prompted, click Yes to reboot the server. The installer continues automatically when the reboot iscomplete.



6 On the Components screen, select to install the Hub, complete the fields, then click Next.

Field Value

Installation Website Website to install the web service.

Internal Connectivity • http

• https

Encryption Key Default Key

7 On the Database Settings screen, verify the information is correct, then click Next.

8 On the Migration - ActiveSync to LDAP screen, do one of the following:

• To continue with the migration process by authenticating the servers, deselect Skip Migration ofAuthentication Servers, then select and edit each authorization server. The Edit Auth Server screenappears for each server. Complete the fields, then click Save. After you've edited all theauthentication servers, click Next.

Your entries on the Edit Auth Server screens depend on whether you select user authenticationbased on Active Directory or Domino credentials.

5 Modifying McAfee EMM softwareMigrate McAfee EMM software


Field Value


• Domino





Domain Name The name of the server to be used for authentication.



Username User name to connect to the directory service.

Password Password to connect to the directory service.

• To re-install certain components but remain in ActiveSync Protocol mode, select Skip Migration ofAuthentication Servers, then click Next to reinstall the components.




Uninstall McAfee EMM software To uninstall McAfee EMM software, follow these steps for each server where you installed components.

Task

1 Log on to the server where your McAfee EMM components are installed.

2 Locate and right-click the file Setup.exe, then select Run as Administrator.

3 When the Options screen appears, click Uninstall.

4 On the Uninstall Summary screen, click Uninstall.

Checkmarks appear next to each component as they're uninstalled.

5 Click Finish to close the uninstaller.

Modifying McAfee EMM softwareUninstall McAfee EMM software 5


5 Modifying McAfee EMM softwareUninstall McAfee EMM software


A Specialized installation tasks

These specialized installation tasks prepare you for custom configuration of your McAfee EMM software.

Contents

Create an SRV record Export your encryption key SQL database permissions for installation

Create an SRV record Configure an SRV record to allow the McAfee EMM Agent to locate the correct EMM Portal duringprovisioning.

Task

1 Create an SRV record with this format: _Service._Proto.Name TTL Class SRV Priority Weight PortTarget

_Service _activation

_Proto _tcp

Name Customer's domain name (must end with a period)

TTL 86400

Class IN

SRV SRV

Priority 0

Weight 1

Port 443

Target Canonical hostname of the EMM portal server

An example SRV record is: _activation._tcp.acme.com. 86400 IN SRV 0 1 443 emm.acme.com

2 Publish the certificate to a device-accessible DNS server.

Export your encryption keyYou need an encryption key (in .skx format) to customize your McAfee EMM system or migrate thesoftware from one server to another.

Before you begin

McAfee EMM must be installed and you must be logged on to the Console.


Task

1 Click the name of the server in the upper-left corner of the McAfee EMM Console.

2 On the Export Key screen in the Key Password field, enter your key password, then select Export EncryptionKey.

You are prompted to save the .skx file.

SQL database permissions for installationThe user who installs the McAfee EMM Database on the database server must have the permissionsshown here.

CREATE TABLE CREATE QUEUE ALTER ANY SERVICECREATE VIEW CREATE SYMMETRIC KEY ALTER ANY REMOTE SERVICE

BINDINGCREATE PROCEDURE CREATE ASYMMETRIC KEY ALTER ANY ROUTECREATE FUNCTION CREATE FULLTEXT CATALOG ALTER ANY FULLTEXT CATALOGCREATE RULE CREATE CERTIFICATE ALTER ANY SYMMETRIC KEYCREATE DEFAULT CREATE DATABASE DDL EVENT

NOTIFICATIONALTER ANY ASYMMETRIC KEY

BACKUP DATABASE CONNECT ALTER ANY CERTIFICATEBACKUP LOG CONNECT REPLICATION SELECTCREATE TYPE CHECKPOINT INSERTCREATE ASSEMBLY SUBSCRIBE QUERY NOTIFICATIONS UPDATECREATE XML SCHEMACOLLECTION

AUTHENTICATE DELETE

CREATE SCHEMA SHOWPLAN REFERENCESCREATE SYNONYM ALTER ANY USER EXECUTECREATE AGGREGATE ALTER ANY ROLE ALTER ANY DATABASE DDL

TRIGGERCREATE ROLE ALTER ANY APPLICATION ROLE ALTER ANY DATABASE EVENT

NOTIFICATIONCREATE MESSAGE TYPE ALTER ANY SCHEMA VIEW DATABASE STATECREATE SERVICE ALTER ANY ASSEMBLY VIEW DEFINITIONCREATE CONTRACT ALTER ANY DATASPACE TAKE OWNERSHIPCREATE REMOTE SERVICEBINDING

ALTER ANY MESSAGE TYPE ALTER

CREATE ROUTE ALTER ANY CONTRACT CONTROL

A Specialized installation tasksSQL database permissions for installation


B Language support for McAfee EMM

This table shows languages supported by the McAfee EMM system components.

Code Language McAfeeEMM App

ServerNotifications

Apple AppStore (13languagessupportedby iOS)

AndroidMarketplace(15languagessupportedby Android)

McAfeeEMMConsole

UserAgreementon theConsole

ID Bahasa

Indonesia

Supported Supported Supported

ZH-CN Chinese,

Simplified

Supported Supported Supported Supported Supported

ZH-TW Chinese,

Traditional


NL Dutch Supported Supported Supported

EN-US English(U.S.)

Supported— English

Supported —English

Supported— English

Supported —English

Supported Supported— English

FI Finnish Supported Supported Supported

FR French Supported Supported Supported

FR-CA French,

Canadian

Supportedwith FR

Supportedwith FR

Supportedwith FR

DE German Supported Supported Supported

IT Italian Supported Supported Supported

JA-JP Japanese Supported Supported Supported Supported Supported

KO Korean Supported Supported Supported Supported Supported

NOR Norwegian Supported Supported Supported

PT Portuguese Supported Supported Supported

PT-BR Portuguese,

Brazilian


ES Spanish Supported Supported Supported

ES-MX Spanish,

Mexican

Supportedwith ES

Supportedwith ES

Supportedwith ES

SV-SE Swedish Supported Supported Supported

RU Russian Supported Supported Supported

TR Turkish Supported Supported Supported


Code Language McAfeeEMM App

ServerNotifications

Apple AppStore (13languagessupportedby iOS)

AndroidMarketplace(15languagessupportedby Android)

McAfeeEMMConsole

UserAgreementon theConsole

DA Danish Supported Supported Supported

PL Polish Supported Supported Supported

B Language support for McAfee EMM


Index

A

about this guide 5Active Directory, See LDAPActiveSync

installation settings 37

pre-installation settings 24

Proxy, description 9agents

BES Agent, installing 39

Enrollment Agent, installation settings 37

PKI Agent, installation settings 37

Android devicesconfiguring email 45

provisioning 44

auxiliary components, installingBES Agent 39

Download Manager File Installer 38

B

basic security modeabout 11

installing 32

running the Deployment Helper 21

BES Agentdescription 9installing 39


BlackBerry Enterprise Server Agent, See BES Agentbrowser requirements 13

C

certificate authorityrequirements 13

troubleshooting certificate errors 40

complianceFilter, description 9security considerations 7

componentsauxiliary, installing 38

client-side 10

server-side 9settings, installation 37

settings, pre-installation 24

configurationmaking changes to 48

modes 10

considerations, planning your installationhow users get help 8mission-critical access 7notifying users 8security 7

Consoledescription 9supported languages 53

conventions and icons used in this guide 5custom installation

configuring an SRV record 51

exporting encryption key 51

installing 36


D

Database, McAfee EMMinstallation settings 37


Deployment Helperabout 18

basic security installation 21

customized installation 24

enhanced security installation 18

running on external servers 19

running on internal servers 18

deployment planningdetermining mission-critical functions 7help for users 8notifying users 8security 7

devicesprovisioning 43

settings 15

supported types 13

DMG, description 9documentation

audience for this guide 5product-specific, finding 6typographical conventions and icons 5


Domino, See LDAPDownload Manager

description 10

installing 38

E

email, configuring for Android devices 45

EMM appdescription 10

provisioning Android devices 44

provisioning iOS devices 44

EMM Portaldescription 9provisioning Windows Mobile devices 46

encryption key, exporting 51

enhanced security modeabout 10

installing 29–31


upgrading from a previous version 47

Enrollment Agentrequirements 13


external domain, system settings 15

external serverinstalling 31


H

HA environment, installing 36

hardware requirements 13

help for users, planning 8Hub, description 9

I

installationbasic security mode 32

BES Agent 39

configuration modes 10

considerations before 7custom 36

Download Manager File Installer 38

enhanced security mode 29–31

migrating, simplified to basic security mode 48

simplified mode 34

upgrading from a previous version 47

internal serverinstalling 30


iOS devices, provisioning 44

iPad, See iOS devicesiPhone, See iOS devicesiPod, See iOS devices

L

languages, supported by McAfee EMM 53

LDAPinstallation settings 37


system settings 15

M

McAfee ServicePortal, accessing 6MDM certificate


system settings 15

migration instructions 48

N

notification to users, planned deployment 8

O

operating system requirements 13

P

PDA Secure, description 10

PKIAgent, description 9

PKI environmentinstallation settings 37

installing 36


requirements 13



portal certificateinstallation settings 37



pre-installationcomponent settings 24

considerations 7system settings 15

provisioningAndroid devices 44

configuring SRV record 51

email on Android devices 45

iOS devices 44

overview 43

Windows 7 devices 46

Windows Mobile devices 46

public security certificate, See SSL certificatePush Notifier

description 9system settings 15

Index


R

requirementsPKI environments 13

system 13

system settings 15

router and firewall access, system settings 15

S

Secure Containerdescription 10

installing on Android devices 44

security considerations 7security modes

basic, on a single server 11, 32

enhanced, on dual servers 10, 29

migrating to basic security mode 48

simplified 12, 34

ServicePortal, finding product documentation 6settings

installation 37

pre-installation 24

system requirements 15

simplified modeabout 12

installing 34

migrating to basic security mode 48

simplified mode (continued)upgrading from a previous version 47

SQLaccount, system settings 15

database permissions 52

server requirements 13

SRV record, creating 51

SSL certificate, system settings 15

supported devices 13

system requirements 13

T

Technical Support, finding product information 6troubleshooting, certificate errors 40

U

uninstallation instructions 49

upgrade instructions 47

user authentication, system settings 15

user devices, See devices

W

Windows 7 devices, provisioning 46

Windows MobileDownload Manager File Installer 38

provisioning devices 46

Index


EMM 10.1 Installation Guide

Documents

Transcript of EMM 10.1 Installation Guide