Junos® Pulse Mobile Security Gateway - Juniper …...Antivirus—Devices are protected by real-time...
Transcript of Junos® Pulse Mobile Security Gateway - Juniper …...Antivirus—Devices are protected by real-time...
June 22, 2012
R1
Release
4.0
Copyright © 2012, Juniper Networks, Inc.
Junos® Pulse Mobile Security Gateway
Administration Guide
ii Copyright © 2012, Juniper Networks, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or
licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Copyright © 2012, Juniper Networks, Inc. All rights reserved.
Table of Contents
About This Guide v
Audience ........................................................................................................................ vObtaining Documentation ...................................................................................... vDocumentation Feedback ...................................................................................... vRequesting Technical Support.............................................................................. v
Self-Help Online Tools and Resources ..................................................... viOpening a Case with JTAC ............................................................................. vi
Chapter 1 Getting Started 1
Pulse Mobile Security Overview............................................................................. 1Enterprise and Consumer Deployments.................................................... 2Administrators and Roles ................................................................................ 2Customer Service Roles ................................................................................... 3New Features in Pulse Mobile Security Release 4.0............................. 3
Accessing the Pulse Mobile Security Gateway...............................................4Using the Pulse Mobile Security Gateway Management Console..........5
Chapter 2 Setting Up the Pulse Mobile Security Gateway 7
Add Partners and Enterprises................................................................................ 7Adding a Partner.................................................................................................. 7Adding an Enterprise..........................................................................................8Editing the Default Enterprise Policy Settings.........................................9
Moving an Enterprise to Another Partner........................................................ 15Adding Administrator Accounts ......................................................................... 15
Adding an Administrator Role...................................................................... 15Adding a User Account ....................................................................................17Assigning a Role and User Control List to a User Account ................17
Registering Devices.................................................................................................. 18Manual Registration of iOS Devices .......................................................... 18Manual Registration of non-iOS Devices................................................. 19Automatic Registration .................................................................................. 19
Configuring Device Identity Servers................................................................... 19Importing Certificates for Device Identity Servers............................... 20Importing the Certificate for the Pulse Mobile Security Gateway 20
Configuring C2DM and System Log Settings..................................................21Updating Malware Signatures.............................................................................22
Creating Certificates for the Pulse Mobile Security Gateway .........22Importing Certificates for the Control Center and Signature Update
Server .............................................................................................................23Configuring the Control Center Settings................................................. 24Configuring the Signature Update Server .............................................. 24
Table of Contents iii
iv
JWOS Command Reference Guide
Chapter 3 Device Profiles 27
Defining Prohibited Applications........................................................................27Managing Profiles for iOS Devices.................................................................... 28
Adding and Editing iOS Profiles.................................................................. 28Setting the Default iOS Profile ................................................................... 35Deleting iOS Profiles ....................................................................................... 35
Managing Firewall Rules and Profiles ............................................................. 36Adding Firewall Rules..................................................................................... 36Modifying Firewall Rules ............................................................................... 36Deleting Firewall Rules ...................................................................................37Adding Firewall Profiles..................................................................................37Modifying Firewall Profiles ............................................................................37Deleting Firewall Profiles ...............................................................................37
Managing Antispam Rules and Profiles.......................................................... 38Adding Antispam Rules ................................................................................. 38Modifying Antispam Rules............................................................................ 38Deleting Antispam Rules............................................................................... 38Adding an Antispam Profile ......................................................................... 39Modifying an Antispam Profile.................................................................... 39Deleting Antispam Profiles........................................................................... 39
Chapter 4 User Accounts 41
Managing User Accounts....................................................................................... 41Adding a User Account ................................................................................... 41Modifying User Accounts .............................................................................. 42Deleting a User Account................................................................................ 42
Managing User Groups .......................................................................................... 43
Chapter 5 Devices 45
Devices Overview..................................................................................................... 45Adding Devices Manually .....................................................................................46Modifying Device Settings....................................................................................46Applying iOS Profiles to Devices........................................................................ 53Sending Device Commands ................................................................................ 54Backing Up and Restoring Personal Data...................................................... 56Managing Device Groups...................................................................................... 56
Chapter 6 Reports 57
Viewing Reports ........................................................................................................57Removing Applications From Managed Devices ........................................ 59Viewing the Applications, Contacts, Pictures, and Messages on
Managed Devices.............................................................................................60Tracking Devices with GPS..................................................................................60Viewing the Gateway and Change History Logs .......................................... 61
Appendix A Summary of Supported Features 63
Pulse Mobile Security Features by Device Type.......................................... 63
Index 65
Table of Contents
About This Guide
The Junos Pulse Mobile Security Suite consists of the Pulse client application and the
cloud-based Mobile Security Gateway, with its associated management Console and
end-user Dashboard. This guide describes how to configure and manage Pulse client
devices using the management Console of the Mobile Security Gateway.
Audience
This guide is intended for:
Enterprise security administrators responsible for the setup and/or maintenance of
the Junos Pulse Mobile Security Gateway
Enterprise security administrators and customer service personnel responsible for
providing support for users of the Junos Pulse Mobile Security client and Dashboard
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation, see
the products documentation page on the Juniper Networks Web site at
http://www.juniper.net/.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to
include the following information with your comments:
Document or topic name
URL or page number
Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need post-sales technical support, you can
access our tools and resources online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
Copyright © 2012, Juniper Networks, Inc. Audience v
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7
days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
Find CSC offerings—http://www.juniper.net/customers/support/
Search for known bugs—http://www2.juniper.net/kb/
Find product documentation—http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base—
http://kb.juniper.net/
Download the latest versions of software and review your release notes—
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications—
http://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum—
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Manager—
http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool—https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Manager tool in the CSC at http://www.juniper.net/cm/.
Call 1-888-314-JTAC (1-888-314-5822—toll free in USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support/.
vi Requesting Technical Support Copyright © 2012, Juniper Networks, Inc.
Chapter 1
Getting Started
This chapter provides a brief overview of the Pulse Mobile Security Gateway.
“Pulse Mobile Security Overview” on page 1
“Accessing the Pulse Mobile Security Gateway” on page 4
“Using the Pulse Mobile Security Gateway Management Console” on page 5
Pulse Mobile Security Overview
The Pulse Mobile Security Gateway lets you centrally manage mobile (handheld)
devices that are protected by the Junos Pulse Mobile Security Suite. The Pulse Mobile
Security Suite is client software that protects mobile devices from viruses, spyware,
identity theft and other threats. Users can install the Pulse client software from the
applications store associated with any of the following mobile operating systems:
Apple iOS
RIM Blackberry
Google Android
Nokia Symbian
Windows Mobile
For a list of the supported versions of each operating system, see the Junos Pulse
Mobile Supported Platforms Guide, which is available at
http://www.juniper.net/support/products/pulse/mobile/
The Layer 3 VPN feature of the Pulse client (not supported by Blackberry) provides
secure access to private networks by connecting to a Juniper Networks SA Series SSL
VPN appliance. To activate all other security features, and allow the gateway to manage
the device, the mobile device must be registered with the Pulse Mobile Security
Gateway.
The Pulse Mobile Security Suite provides the following features:
Antivirus—Devices are protected by real-time antivirus and malware protection with
automatic updates (non-iOS devices only). You can scan files across network
connections, perform on-demand scans, and provide virus and malware detection
alerts. Note that users can enable the following options on Android devices:
− Scan Memory Card on Insert—The memory card is scanned when it is first
installed (if the power is on), not when files are added.
− Scan application on install—Applications are scanned for malware during
installation. If the administrator defines any prohibited applications, scanning
occurs during installation even if this feature is disabled.
Copyright © 2012, Juniper Networks, Inc. Pulse Mobile Security Overview 1
Android malware detection—Android devices receive signatures to detect both
malware and suspicious applications, and you can define a list of prohibited
applications. Depending on the device type, malware and prohibited applications are
deleted automatically or the user is prompted periodically to perform the deletion.
Personal firewall—Provides inbound and outbound IP address and port filtering.
Antispam—Provides filtering to block voice and SMS spam and to deny unknown or
unwanted calls.
Backup and restore—The contact list and calendar on non-iOS devices can be backed
up in a standard format and restored to another device.
Loss and theft protection—From the gateway, you can perform remote lock, remote
wipe, GPS locate and track, remote alarm and notification, and SIM change
notification.
Device monitoring and control—The gateway provides tools for application inventory
and removal, monitoring (SMS, MMS, e-mail message content, and photos stored on
device), and the ability to view the call log and the user’s contacts.
Consumer Dashboard—Allows users to log in to the gateway to locate a lost or stolen
device, view reports of the device usage, or use other security features.
Informational Note: The firewall and antispam features are supported only by the
Windows Mobile and Symbian devices. For more information about version support for
each device type, see the Junos Pulse Supported Mobile Platforms Guide.
Enterprise and Consumer Deployments
The features deployed for enterprise and consumer users may differ. For example, a
typical enterprise solution may include the Junos Pulse SSL VPN client features, while a
typical consumer solution might be comprised of just the Pulse client's anti-malware
and anti-theft features.
Administrators and Roles
Each gateway administrator account requires a role that determines the functions that
the user can perform and a user access control list that determines the mobile devices
the user can access. User roles and accounts can be defined at each administrative level
(Root, Partner, and Enterprise), but most administrators will have an Enterprise
account.
Each role specifies the permissions (view, add, edit, delete, and move) for the following
objects that you manage in the Pulse Mobile Security Gateway:
Partner—A group of one or more Enterprises. Only Root and Partner administrators
can add or view Partners.
Enterprise—An organization that manages registered mobile devices. Registered
devices exist only at the Enterprise level. Each Enterprise has a Consumer or
Enterprise license. Enterprise administrators can allow users to log in to the gateway
Dashboard to locate a lost phone or use other security features.
User—An Enterprise user account is created automatically when a mobile device is
registered. To create an administrator account, you can add a role and access control
list to an existing user account, or manually create a new account.
User Group—Enterprise user accounts can be organized into user groups, such as by
department or business unit. You can then issue commands to the devices
associated with the users in one or more groups.
2 Pulse Mobile Security Overview Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Getting Started
Device—A device record is created in the appropriate Enterprise when a mobile device
is registered. Mobile devices are identified by their MSISD (Mobile Subscriber
Integrated Services Digital Network number, which includes the phone number,
country code, and area code) and IMEI number (International Mobile Equipment
Identity).
Device Group—Enterprise devices can be organized into device groups. You can then
issue commands to the devices in one or more groups or view reports for a selected
device group.
Profiles—Groups of rules that you can assign to an Enterprise or apply to specific
devices. Profiles assigned to an Enterprise are applied to each device that registers
with the Enterprise. The current profiles are:
iOS Profile—Defines various settings on iOS devices, such as user restrictions,
password requirements, and the VPN and Wi-Fi networks that users can access.
Firewall Profile—Defines Internet access permissions, both inbound and outbound,
for Windows Mobile and Symbian devices.
Antispam Profile—Defines antispam conditions that let you block incoming calls and
SMS messages from specific phone numbers on Windows Mobile and Symbian
devices.
Each role also lets you allow or disallow certain tasks, such as sending commands to
devices or viewing specific device reports. If you are not authorized for certain tasks, the
related menu items and buttons are hidden or disabled.
For each new Enterprise, a Root or Partner administrator must create the Enterprise and
add an Enterprise user account and role for use by the Enterprise administrator. Partner
administrators can manage all Enterprises associated with the Partner. Root
administrators can manage all Partners and Enterprises. For more information about
user accounts and roles, see “Adding Administrator Accounts” on page 15.
Customer Service Roles
Juniper Networks provides Customer Service personnel with credentials that allow
access to all tasks related to the support of Pulse client users. Enterprise tasks regarding
groups, profiles, and policies are not performed by support personnel.
IMPORTANT!: Each chapter of this guide begins by indicating whether enterprise
administrators or customer service personnel typically performs the tasks in that
chapter. More specific notes about the tasks relevant to customer service personnel are
included in each section, as appropriate.
New Features in Pulse Mobile Security Release 4.0
Release 4.0 includes the following new features:
Service Bundles for Android and Blackberry devices—Services such as Antivirus,
Backup/Restore, Monitoring and Control, and Anti-Theft can be enabled in any
combination on the consumer Dashboard and Android and Blackberry devices.
Inactive services can be grayed out and assigned an appropriate URL so that users
can add or change the active services.
As noted earlier, the solution deployed for an enterprise or consumer can be
comprised of various features. Feature bundles may be offered in certain
combinations to enterprise or consumer users, and support or store personnel can
help users enable the desired services.
Copyright © 2012, Juniper Networks, Inc. Pulse Mobile Security Overview 3
Pulse Client enhancements—The Junos Pulse client for Android and Blackberry
devices has been redesigned with a more consumer-oriented interface. The new
client interfaces support service bundles, and allow users to disable an alarm
(Scream) that is enabled remotely to help locate the device.
Dashboard enhancements—The consumer Dashboard has also been redesigned
and includes support for service bundles, plus the following new login features:
− Users can log in to the Dashboard using either a device’s e-mail address or phone
number as the username.
− Users can change a device’s e-mail address from the Dashboard. When a device
is registered or the e-mail address is changed, users receive an e-mail with a URL
that they can select to confirm the new address. A reminder is displayed on the
Dashboard until the new address is confirmed.
− Users who do not know their password can reset the password on the Dashboard
login page. An e-mail is sent to the user with a login URL and a temporary
password.
Lock/Unlock commands—The Lock command issued from the management
Console or Dashboard now generates a passcode that can be e-mailed to the users of
Android and Blackberry devices. The Unlock command can be used to unlock a
device or change the password for an Android or Blackberry device.
Web filtering for Android devices—The Pulse Mobile Security Gateway can be
configured to use a Websense® server to look up the category of each URL accessed
from Android devices. Dashboard users can block or monitor selected categories of
websites and define lists of URLs that are always allowed or blocked.
C2DM support—The Cloud to Device Messaging (C2DM) service can be configured as
an alternative to SMS for communicating with Android devices (version 2.2 or later). If
the C2DM service is not available, SMS is used as the default.
Compatibility with previous releases—Release 4.0 of the gateway supports all
previous Junos Pulse clients, but requires Pulse 4.0 clients to support the new
features in this release. Pulse 4.0 clients are not guaranteed to be compatible with
earlier versions of the gateway.
Accessing the Pulse Mobile Security Gateway
The URL used to access the management Console of a Pulse Mobile Security Gateway
depends on whether you are hosting the gateway in your own network. To access the
management console of a gateway hosted by Juniper Networks, enter the following
URL in your browser:
https://mss.junospulse.juniper.net
Use the login credentials provided for you. If you are the Root administrator logging in for
the first time to a gateway in your own network, use [email protected] and
password for the username and password. If you are a customer service representative,
your login credentials give you access to the appropriate gateway and user accounts.
If access to the gateway Dashboard is enabled, users can use their registration e-mail
address and password to log in to the Dashboard at the following URL to view device
reports, locate a missing device, or use other security features, depending on the
features purchased or available.
4 Accessing the Pulse Mobile Security Gateway Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Getting Started
The Dashboard URL for a gateway hosted by Juniper Networks is:
https://mss.junospulse.juniper.net/smobile/dashboard/login.htm
For Windows Mobile and Symbian users, who can enter just the license key during
registration, the IMEI number is used for the e-mail address (imei @a.a) and password.
Administrators can change the defaults and notify the user.
Informational Note: To use the Pulse Mobile Security Gateway, your browser must be
Google Chrome version 6.0, Microsoft Internet Explorer version 7.0 or 8.0, or Mozilla
Firefox 3.0, 3.5, or 3.6. JavaScript and cookies must be enabled on the browser.
Using the Pulse Mobile Security Gateway Management Console
The management Console of the Pulse Mobile Security Gateway has a navigation panel
on the left, a central data panel, and a top panel for additional features, such as search
and help. For enterprise or partner administrators, the navigation panel displays a
hierarchy of the Partners and Enterprises. Most administrators manage a single
Enterprise and its associated users and devices (see Figure 1 on page 5). Customer
service personnel do not see a hierarchy, but are logged in to the appropriate gateway
for the users that they support.
Informational Note: Administrators must select the appropriate item in the navigation
panel before performing an operation. Each action is applied to the selected Partner,
Enterprise, or group. For example, select a device group to view reports for just the
devices in that group.
Figure 1: Pulse Mobile Security Gateway Management Console
Copyright © 2012, Juniper Networks, Inc. Using the Pulse Mobile Security Gateway Management Console 5
The top panel provides the following selections:
Search—Lets you search for device identifiers, or the names of users, Enterprises, user
groups, or device groups. The device identifiers include the phone number (MSISD)
and the DID, ESN, IMEI, IMSI, and UUID.
My Account —Lets you change your login account.
Admin—Lets you to define and assign user roles. Root administrators can also
configure certificates and the connections to the Control Center and the Signature
Update Server.
Help—Provides information about software versions, the license, and system uptime,
the list of commands that can be sent to managed devices, and the current list of
known viruses.
The following Tabs are presented below the top panel. These tabs apply to an
enterprise that is selected by an administrator, or automatically selected for a customer
service representative.
Reporting—Shows a summary of virus and registration activity and provides links to
more detailed reports. For more information about reports, see “Viewing Reports” on
page 57.
Profiles—Allows enterprise or partner administrators to define profiles for iOS devices
and firewall and antispam profiles for Windows Mobile and Symbian devices in the
Enterprise. In addition, a Root administrator can define a list of prohibited
applications for the Android devices in all Enterprises.
Customer service personnel generally do not define the profiles, but in some cases
may need to access these functions (see “Device Profiles” on page 27).
Users—Lists the current user accounts. When a mobile device is registered, the
gateway creates a user account that includes the device information. You can edit
user records to reset the password or make other changes.
Devices—Shows each registered mobile device. Depending on your role and
associated access permissions, you can edit the settings for individual devices, apply
profiles to iOS devices, move devices into a device group, and send commands to
selected devices. You can also add and delete device groups, and send commands to
the devices in one or more groups.
Settings—Provides a summary of the Enterprise settings and lets the enterprise
administrator define the default security settings that are applied to mobile devices
when they register with the Enterprise.
Logs—Provides access to the gateway logs. You can search the logs and view the log
entries to assist in troubleshooting and reporting.
6 Using the Pulse Mobile Security Gateway Management Console Copyright © 2012, Juniper Networks, Inc.
Chapter 2
Setting Up the Pulse Mobile Security Gateway
This chapter contains information for partner and enterprise administrators, and
includes topics (indicated by an asterisk in the list below) that are relevant to service
providers who install the Pulse Mobile Security Gateway in their own network. Typically,
customer service personnel do not perform these tasks and do not have access to these
settings. Most setup tasks are performed by Juniper Networks personnel before users
install the Junos Pulse client and register with the gateway.
“Add Partners and Enterprises” on page 7
“Adding Administrator Accounts” on page 15
“Registering Devices” on page 18
“Configuring Device Identity Servers” on page 19 *
“Configuring C2DM and System Log Settings” on page 21 *
“Updating Malware Signatures” on page 22 *
Add Partners and Enterprises
The following topics describe how to add Partners and Enterprises (at least one of each
is required), and how to move an Enterprise to a different Partner:
“Adding a Partner” on page 7
“Adding an Enterprise” on page 8
“Editing the Default Enterprise Policy Settings” on page 9
“Moving an Enterprise to Another Partner” on page 15
Adding a Partner
A Partner is used to identify a group of Enterprises. At least one Partner is required, and
the Default Partner is created automatically. A Root administrator can define new
Partners or change the Default Partner. Root administrators can then add one or more
Enterprises or create a user account for a Partner administrator who can add the
needed Enterprises.
To add a Partner:
1. Log in to the gateway as a Root administrator.
2. On the Home page, click Add Partner.
3. Specify the following properties:
Partner Name—Typically, the name of the organization.
Copyright © 2012, Juniper Networks, Inc. Add Partners and Enterprises 7
Notes—Information such as how to contact the Partner administrator.
4. Click Save to create the Partner.
Adding an Enterprise
An Enterprise is any organization that manages mobile devices. For each Partner, a
Default Enterprise is created automatically. A Root or Partner administrator can define
new Enterprises or change the Default Enterprise. Root or Partner administrators can
manage each Enterprise or create a user account for an Enterprise administrator who
can perform Enterprise-specific management tasks.
To add an Enterprise:
1. Log in to the gateway as a Root or Partner administrator.
2. On the navigation panel, select the Partner where you want to add an Enterprise,
and click Add Enterprise.
3. Specify the following properties:
Setting Description
Enterprise Name A descriptive name.
Enterprise Code A code that identifies this Enterprise to managed devices. If the license
type is Enterprise, the Enterprise code is used as the license key during
registration. The Enterprise code must be unique.
License Type Select whether the software is licensed by the Enterprise or by the device
(Consumer).
License Count Number of licensed devices.
License Expiration Date
or License Length
For an Enterprise license type, enter or select the license expiration date
for the Enterprise and all of its registered devices. For a Consumer license
type, enter the number of days that each registered device is licensed to
use the software. The expiration date cannot exceed 2031.
Require Customer Account Requires administrators to create a user account before a device can
register with the Enterprise. If you do not select this box, a user account is
created automatically when a device is registered.
Allow Insecure Clients Allows gateway access for devices that do not use the latest
authentication method (selecting this option is recommended).
Allow Manual Registration Allows users to register with the Enterprise by manually entering a license
key. Currently, only Android, Blackberry, and iOS devices can be registered
automatically.
Allow Dashboard Access Allows users to log in to the gateway Dashboard to locate a lost phone or
use other security features. If this check box is cleared, the Enterprise
administrator uses the management Console to perform all the tasks
available on the Dashboard.
Notes Descriptive information about this Enterprise.
Products Select the features enabled in this Enterprise. To change the default
settings for each feature, see “Editing the Default Enterprise Policy
Settings” on page 9. Note that disabling Antivirus also disables scanning
for malware and suspicious applications on Android devices. However,
scanning for prohibited applications on Android devices cannot be
disabled.
Firewall
Antispam
Antivirus
Control (antitheft and monitoring)
8 Add Partners and Enterprises Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
4. Click Save to add the Enterprise to the end of the list of Enterprises on the Partner
page. You may have to refresh the page to see the new Enterprise.
5. To change the general Enterprise settings, click the Edit icon to the right of the
Enterprise. To change the default policy settings for the Enterprise, click the
Enterprise Settings icon next to the Edit icon or select the Enterprise and click the
Settings tab (see “Editing the Default Enterprise Policy Settings” on page 9).
Editing the Default Enterprise Policy Settings
Enterprise administrators can change the default policy settings that are applied to new
devices when they register with the Enterprise. After registration, feature settings can be
changed by sending commands to specific devices.
Informational Note: The supported features vary by device type. If a device does not
support a feature, the feature settings are ignored. For example, the firewall and
antispam settings apply only to Symbian and Windows Mobile devices.
To view and edit Enterprise settings:
1. Select the Enterprise in the navigation panel.
2. Select the Settings tab.
3. Review the general settings. To change the general settings, see “Adding an
Enterprise” on page 8. If you access the Enterprise from another system using SOAP
API calls, click Generate UUID to generate a universally unique identifier for the
Enterprise.
4. To view or change the policy settings, click Enterprise Settings.
5. Edit the following settings as needed, and click Update.
Setting Description
Aggregator Settings
Username The username passed to the SMS provider’s gateway API when sending
commands. An SMS gateway is required to send commands to non-iOS
devices.
Password The password passed to the SMS provider’s gateway API when sending
commands.
SMS Sender Code Reserved for future use.
API The API key assigned by the aggregator. The key, along with the
username and password, provide authentication to the SMS gateway
when you send a command to a device.
URL The base URL of the SMS aggregator's API. The Pulse Mobile Security
Gateway adds the remainder of the URL when you send a command.
Other Settings
Software Download URL Web page where users can download and install the Pulse client for their
device. If you manually add a device, the gateway sends an SMS
message or e-mail to the device with a link to this URL and a license key.
Update Schedule Select how often the settings on the gateway, including virus definitions,
are synchronized with the settings on non-iOS devices. Select never to
disable synchronization with the gateway. If users change the update
schedule on the device, it is reset during the next synchronization.
Android Malware Scan
Interval
Select Hours (1 to 72) or Minutes (1 to 999) and enter the number of
hours or minutes between scans for malware on Android devices. To
disable malware scanning, enter zero.
Copyright © 2012, Juniper Networks, Inc. Add Partners and Enterprises 9
Default UI Settings
UI Mode Indicates the Junos Pulse features available to users of Android and
Blackberry devices. Select one of the following:
Full UI—Includes all features of the Junos Pulse client.
Minimal UI—Includes only a Splash screen, license screen, and a
Home screen with an About button. Detected viruses, malware, and
prohibited applications are deleted automatically, and suspicious
applications are displayed to the user so they can be deleted or
allowed. If a device does not support automatic deletion of
applications, the Scan Results page is displayed periodically until the
offending applications are deleted manually.
Security UI—Includes all Junos Pulse features, except the ability to
define VPN connections to private networks. Users can scan for viruses
and malware, view scan results, back up data, and so on.
UI Button Mode
(service bundle)
For Android and Blackberry devices, if the UI Mode is Full UI or Security UI,
the following features can be active or inactive, and visible or hidden on
the device and Dashboard. Active features can be hidden to simplify the
user interface. Inactive/Visible features are grayed out so that users can
select them to purchase the feature. Professional Services can customize
the URL associated with grayed out buttons or text and assist you with
enabling features programmatically through the gateway API.
Select the activation status for each of the following:
Anti Virus—The Active/Visible selection displays a Scan/Threats
Detected button and a Security Settings selection on the device so
that users can start a scan or change the default scan and virus update
settings. On the Dashboard home page, an Anti-Virus Activity section
is displayed with an event count that users can select to view the list of
events.
The Active/Hidden selection hides the feature on the device and
Dashboard, but viruses, malware, and prohibited applications are
detected on the device and deleted automatically or the user is
prompted to remove them.
Backup—The Active/Visible selection displays a Backup button on the
device and a Backup and Restore button on the Dashboard. Users can
back up their personal contacts and calendar from the device, but they
must use the Dashboard (or contact an administrator) to restore the
last backup. The Active/Hidden selection has the same effect as
Inactive/Hidden.
Monitor & Control—The Active/Visible selection displays the Remote
Monitoring button on the device so that users can view which items are
monitored and whether GPS tracking is enabled. The Dashboard is
updated as follows:
− The Remote Monitoring section is displayed on the home page with
counts of the monitored messages, calls, applications, and
photographs that users can select to view lists of each item.
− The Alert Setup tab allows users to set up alerts based on the
message content (if messages are monitored).
− The Reports tab allows users to view a Text and Email Monitoring
report.
− The Settings page allows Dashboard users to change the default
monitor and control options for a device.
The Active/Hidden selection hides the feature on the device and
Dashboard, but allows an administrator to view the device activity logs
(see “Viewing the Applications, Contacts, Pictures, and Messages on
Managed Devices” on page 60).
Setting Description
10 Add Partners and Enterprises Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
Anti Theft—The following buttons can be displayed on the Dashboard
home page. If any of these buttons is visible, an Anti Theft button is
displayed on the device that allows users to view, and optionally
change, the status of each feature. Active/Visible features are shown
as enabled; Inactive/Visible features are shown as disabled. The
Active/Hidden and Inactive/Hidden selections have the same effect.
− Wipe Device—The Active/Visible selection allows Dashboard users
to erase personal data from a device, depending on the device type
(see “Personal Data Erased by Handset Wipe Command” on
page 64).
− Lock/Unlock Device—The Active/Visible selection allows
Dashboard users to lock or unlock a device.
− Scream Locate—The Active/Visible selection allows Dashboard
users to enable an alarm to help locate a device in the immediate
area.
− Locate Device—The Active/Visible selection allows Dashboard
users to enable GPS reporting on a non-iOS device and view the
device’s location on a map. To view the location of an iOS device, an
administrator must enable GPS reporting on the device.
− Custom Button—The Active/Visible selection displays a
customized button on the home page of the device and Dashboard
that users can select to purchase or cancel optional features. The
Inactive/Visible selection also displays the button. Professional
Services can configure the button and its associated URL.
Android Password Policy and Control Encryption
Require encryption on device Prompts the user to enable encryption of application data on Android
devices (if encryption is disabled). If a passcode is not defined on the
device, PasswordNotSufficient is written to the Enterprise log, and the
user is not prompted to enable encryption.
Require passcode on device Prompts the user to set a passcode on Android devices.
Auto-lock Locks the device after the selected number of minutes (1 to 5) of
inactivity. Select — to disable the feature.
Maximum number of failed
attempts
Erases all data on the device after the selected number of login attempts
fails (4 to 16). Select — to disable the feature.
Allow simple value Allows a passcode with repeated, ascending, or descending characters.
Require alphanumeric value Requires the passcode to have at least one letter.
Minimum passcode length Requires the passcode to have the selected number of characters
(1 to 16)
Minimum number of complex
characters
Requires a passcode to have the selected number of special characters
(1 to 4), such as @ and &. Select — to disable the requirement.
Passcode history Requires the specified number of unique passcodes (1 to 50) before a
passcode can be repeated. Enter a zero to disable the requirement.
Maximum passcode age Prompts the user to change the passcode after the selected number of
days (1 to 730). Enter a zero to disable the prompt.
iOS Settings
iOS Default Profile Select the profile that is applied to iOS devices when they register with
the Enterprise. The predefined AutomaticDefault profile, which can be
changed, is created automatically for each Enterprise. To add or change a
profile, click iOS Profiles. You can also apply profiles to selected devices
after they are registered.
Device Check-In Period Select the number of days between the prompts sent to each iOS device
to check in with the gateway for profile and updates. Select Disable to
stop sending check-in prompts to registered devices.
Setting Description
Copyright © 2012, Juniper Networks, Inc. Add Partners and Enterprises 11
MDM APNS Certificate Signing Request (CSR)
Generate To manage iOS devices, an Apple Push Notification Service (APNS)
certificate must be uploaded to the Enterprise. Without an APNS
certificate, iOS devices can register, and iPhones and iPads with 3G
support can report their GPS location (Dashboard users will see only the
GPS location), but the certificate is required for all other features. After
the certificate is installed, users who are already registered must uninstall
and reinstall the Pulse client.
Before you begin, note the following:
If you do not have an Apple ID, go to https://appleid.apple.com to
create one.
If the Control Center is not configured, see “Configuring the Control
Center Settings” on page 24.
To obtain an APNS certificate:
1. To create a CSR, click Generate, and specify the following:
− Common Name—Unique name used to identify the certificate.
− Organizational unit—Name of your department.
− Organization—Legal name of your company/organization.
− Locality—Name of the city where your organization is located.
− State (fully spelled out)—State or province name.
− Country (2 letter code)—Country or region code.
2. Click Generate to have the Control Center sign the CSR. Contact
Technical Support if the error MSG Control Center failed to sign
certificate request is displayed.
3. Click Download and save the apnscsr.plist file.
4. Click Upload CSR to Apple, log in to the Apple portal, and do the
following:
a. Click Create a Certificate, accept the terms, and then browse to the
location of the apnscsr.plist file, and click Upload.
b. Click the Download button next to the generated certificate and
save the file locally. The APNS certificate file name is:
MDM_<VendorName>_Certificate.pem.
5. On the Enterprise page, click the Upload button, click Browse, select
the APNS certificate file, and click Upload. The certificate type must
be PEM.
The Upload button is hidden after a certificate is uploaded to the
Enterprise.
APNS Certificate
After you upload the APNS certificate, the certificate status and
expiration date is displayed. Certificates are valid for one year. When a
certificate expires, you can click Delete and upload a new certificate.
NOTE: Use the Upload button in the previous section. The Upload button in this section is for compatibility with the APNS procedure used in release 3.0. After the new certificate is installed, users who are already registered must uninstall and reinstall the Pulse client.
Default Antivirus Settings
Disable Handset
Modifications
Prevents users from changing the antivirus settings on non-iOS devices,
and the commands to enable or disable file scanning are not persistent.
During periodic synchronizations with the gateway, the gateway settings
override the settings on the device. Clear the check box to allow the
device settings to override the gateway settings during each
synchronization.
Setting Description
12 Add Partners and Enterprises Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
Scan Memory Card Enables periodic scans of the secure digital (SD) memory card on
non-iOS devices.
Scan Files Enables periodic scans of the files on non-iOS devices.
Scan Inside Archives Enables recursive scanning of archive files that are contained within other
archive files (Android devices only). The supported archive files are .zip,
.gzip, and .jar.
Optimize Media Scanning Enables media files larger than 1 MB to be skipped if the file has not
changed since the previous scan (Android devices only). A file is skipped
if the MD5 checksum has not changed. The supported media files are
.gpp, .m4a, .mov, .mpg, .mp3, .mp4, .wav, .bmp, .gif, .jpg, .png, and
.tif/.tiff.
Default Firewall Settings (Win Mobile and Symbian only)
Active Displays the firewall application on Symbian and Windows Mobile
devices. Clear the check box to hide the application.
Disable Handset
Modifications
Prevents users from changing the firewall settings on the device. Clear
the check box to allow the device settings to override the gateway
settings during the periodic synchronizations with the gateway.
Security Level Choose one of the following:
Disable—Disables the firewall component.
Allow—Permits all traffic that is not specifically blocked in the firewall
profile rules.
Block—Blocks all traffic that is not specifically allowed in the firewall
profile rules.
Profile Set of firewall rules that are applied to devices when they are registered.
Use the list box to select a firewall profile. If you have not yet defined
profiles, you can edit this setting later. You can also apply profiles to
individual devices.
Default Antispam Settings (Win Mobile and Symbian only)
Active Displays the antispam application on Symbian and Windows Mobile
devices. Clear the check box to hide the application.
Disable Handset
Modifications
Prevents users from changing the antispam settings on the device. Clear
the check box to allow the device settings to override the gateway
settings during the periodic synchronizations with the gateway.
Block Short Codes Blocks SMS messages to or from short codes. Short codes are five- or
six-digit SMS codes that serve as short phone numbers and are often
used by premium SMS services. SMS messages from short codes are
more likely to be spam than messages from regular phone numbers.
Outgoing SMS messages to short codes can incur phone charges. Short
codes are also used for instant messaging (IM) services. Blocking short
codes increases security but also limits service to the client.
Profile Set of antispam rules that are applied to devices when they are
registered. If you have not yet defined profiles, you can edit this setting
later. You can also apply profiles to individual devices.
Default Monitor and Control Settings
Log Event Limit Number of events that are logged on non-iOS devices before they are
uploaded to the server. An event is an instance of any logged item
(e-mail, SMS or MMS message, phone call, or image). Higher values
delay server updates, but minimize SMS charges and conserve battery
life. Select off to disable uploads based on the number of events.
NOTE: Device logs are uploaded to the gateway over HTTPS, not SMS.
Setting Description
Copyright © 2012, Juniper Networks, Inc. Add Partners and Enterprises 13
Log Size Limit Maximum amount of file space used for the event log on non-iOS devices
(100K is recommended). The log can exceed this value, but if the log
becomes full, an attempt to upload the log occurs after each event.
Select off to disable uploads based on the log size. If both the Log Event
and Log Size limits are off, uploads occur only when requested from the
management Console or user Dashboard.
Log Email Saves all e-mails in the log (not supported on Android and iOS devices).
Log SMS Saves all SMS messages in the log on non-iOS devices.
Log MMS Saves the text portion of all MMS messages in the log on Blackberry and
Symbian devices. Graphics are included only if they are saved on the
device and the Log Images option is selected.
Log Voice Saves a record of each phone call in the log on non-iOS devices, including
date, time, and remote phone number.
Disable Voice Disables the ability to make phone calls (not supported on Blackberry
and iOS devices).
Log Images Saves images in the log that are loaded on non-iOS devices.
Log Web Images Saves images in the log that are accessed with the device Web browser
(not supported on Android and iOS devices).
GPS Update Period Select how often a device reports its GPS location to the gateway, or
select Disable Updates to disable GPS reporting. For iOS devices
(iPhones and iPads with 3G support), this setting does not override the
iOS profile. The device’s last reported location can be viewed on the GPS
Tracking Report (see “Tracking Devices with GPS” on page 60).
Default SIM Change Settings
Lock on SIM Change Locks a non-iOS handset if the SIM card is changed after the device is
registered. Changing the SIM card changes the phone number, and
disables communication with the gateway. This feature helps protect
personal data if the phone is lost or stolen. Logging in with the user’s
registration password unlocks the device and updates the phone number
on the gateway.
NOTE: For a device registered automatically, the user must replace the SIM to unlock the device. Also, locking the device does not disable active background applications, such as a phone call or the music player.
Wipe on SIM Change Wipes the user data from a non-iOS handset if the SIM card is changed
after the device is registered (Lock on SIM Change must be enabled). The
data erased depends on the device type (see “Personal Data Erased by
Handset Wipe Command” on page 64). Note the following:
On Android 2.2 (or later) devices that have the Device Administrator
function enabled, the device is not locked, but a factory reset occurs
that removes all applications installed by the user, including Junos
Pulse. If the Device Administrator is disabled, the device is locked, and
GPS Theft Mode and Monitor & Control logging is enabled.
On Android 2.1 devices, the device is locked, and GPS Theft Mode and
Monitor & Control logging is enabled. The contacts and history are
wiped, but not the SD memory card.
Setting Description
14 Add Partners and Enterprises Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
Moving an Enterprise to Another Partner
An Enterprise can be moved to another Partner on the same gateway or a different
gateway. Moving an Enterprise moves all of its associated data, including users, devices,
and profiles. To move an Enterprise to another Partner on the same gateway, you must
export the Enterprise from the current Partner, delete the Enterprise, and then import
the Enterprise to the new Partner.
To move an Enterprise within the same gateway:
1. Log in to the gateway as a Root or Partner administrator.
2. Select the Partner that has the Enterprise to be moved, and click Export Enterprise.
3. Select the Enterprise from the list, and click Export.
4. Click Home, select the check box next to the exported Enterprise, and click Delete.
5. Select the Partner where you want to move the Enterprise, and click Import Enterprise.
6. Select the Enterprise from the list of exported Enterprises, and click Import.
To move an Enterprise to another gateway, contact Professional Services.
Adding Administrator Accounts
The Root administrator of the Pulse Mobile Security Gateway can create other
administrator accounts at the Root, or for specific Partners and Enterprises. The
procedure for creating administrators is the same at each level. Select the Root, Partner,
or Enterprise in the navigation panel, create a role that has the administrator
permissions, create a user account that uses the role, and then assign a user control list
to the account.
Informational Note: Do not change the name of the predefined Root account
([email protected]). The Root account is required to configure the Control
Center and Malware Signature Server settings for malware signature updates.
Adding an Administrator Role
A role is a set of permissions that you can apply to a user account. For example, you can
define a role that allows view permission on everything but allows edit permission on
only a few objects. For an administrator role, you typically allow all permissions.
To define an administrator role:
1. In the navigation panel, select the Root, a Partner, or an Enterprise. The role must be
created at the same level as the user accounts where you want to apply the role.
Informational Note: To allow administrators to add a Partner, the Root level must
be selected.
2. At the top of the page, click Admin. Root administrators must select Admin > User Roles.
3. On the Roles tab, click Add Role.
Copyright © 2012, Juniper Networks, Inc. Moving an Enterprise to Another Partner 15
4. Select the permissions View, Add, Edit, Delete, and Move for each of the following
objects. Click Select All to enable all permissions. The following table describes the
effect of the View permission, which is required for all other permissions.
5. Scroll down and select the following items in the Additional Permissions section.
Click Toggle to select or clear all of the check boxes.
Object Description of View Permission
Partner Displays the Partners and their Enterprises in the navigation panel.
Enterprise Displays the Settings tab for each Enterprise. The Edit permission displays
an icon next to each Enterprise on the Partner page that allows the general
settings to be changed, such as the Enterprise name. To allow changes to
all other Enterprise settings, select Edit Enterprise Settings under
Additional Permissions (see Step 5).
Device Identity Server Displays the Device Identity Servers selection on the Root and Partner
home pages, and on the User tab for each Enterprise.
User Displays the Users tab for each Enterprise, and the User Accounts
selection on the Root and Partner home pages.
User Group Displays the User Groups selection on the Users tab.
User Role Displays the Roles page from the Admin menu. The Add permission allows
roles to be defined, but the Assign User Role(s) permission is needed to
assign a role to an account (see Step 5).
Device Displays the Devices tab for each Enterprise.
Device Group Displays the Device Groups selection on the Devices tab.
Firewall Rule Displays the Firewall Rules selection on the Profiles tab for all levels.
iOS Profile Displays the iOS Profiles selection on the Profiles tab for each Enterprise.
Firewall Profile
Antispam Rule
Antispam Profile
Displays each selection on the Profiles tab for all levels.
Android Prohibited
Application
Displays the Prohibited Applications selection on the Profiles tab at the
Root level.
System Settings Displays the System Settings selection on the Root and Partner home
pages, and on the Settings tab for each Enterprise.
Additional Permission Description
Use Enterprise Console Allows users to log-in to the management Console.
Assign User Role(s) Displays an icon next to each role and user account on the Roles page and
User Accounts page that allows roles to be assigned to each account.
Assign User Access Control
List
Displays an icon next to each user account on the User Accounts page that
allows an access control list to be assigned to each account.
Send Commands Displays the Send Commands button on the Devices page that allows
device commands to be sent to registered devices.
Access Logs Displays the Logs tab, which provides access to the Enterprise and Change
History logs.
Access Profiles Displays the Profiles tab, which provides access to the Antispam, Firewall,
and iOS profiles.
Export Enterprise Displays the Export Enterprise button on the Partner page.
Import Enterprise Displays the Import Enterprise button on the Partner page.
Edit Enterprise Settings Displays the Enterprise Settings selection on the Settings tab.
View UUID Displays the UUID number in the General settings on the Enterprise tab (if
any).
16 Adding Administrator Accounts Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
6. Click Save to create the Role and close the dialog box.
Adding a User Account
To create a user account:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. If you select an Enterprise, click the Users tab.
3. Click Add User Account and specify the following information:
First Name and Last Name
User Name—Name used to log in to the gateway. The user name must be an
e-mail address.
Password and Confirm Password—The password for logging in to the gateway.
Passwords must contain at least eight characters and cannot include the user
name.
4. Click Save to create the account and close the dialog box.
Assigning a Role and User Control List to a User Account
After you create a role and user account, you assign the role to the account and select a
user control list to specify the objects in the navigation panel that the user can access.
To assign a role and user control list to an account:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. If you select an Enterprise, click the Users tab.
3. Click User Accounts.
4. In the list of user accounts, click the Assign User Roles icon in the last column of the
table for the user account you want to update, select the check box for the role you
want to assign to the user, and then click Save.
Generate UUID Displays the Generate UUID button in the General settings on the
Enterprise tab (View UUID also must be enabled).
View Command List Displays the Command List selection on the Help menu.
View Virus Definition List Displays the Virus Definition List selection on the Help menu.
Access Reports Displays the Reporting tab, which allows access to the following selected
reports (the Summary report is always available):
Virus Discovery Alerts
Profile Update
Registration
Software Update
Monitor & Control
App Revocation
App Revocation List
GPS Tracking
Command History
Android Malware
Additional Permission Description
Copyright © 2012, Juniper Networks, Inc. Adding Administrator Accounts 17
5. Click the Assign User Control List icon in the last column of the table for the user
account, and select the check boxes for the objects that you want to allow the user
to access. Selecting an object allows access to that object and all objects lower in
the hierarchy. For example, if you select a partner, the user can access all
Enterprises for that Partner.
6. Click Save to save the account.
Registering Devices
To manage a mobile device with the Pulse Mobile Security Gateway, the Pulse client
must be installed on the device, and then the device must be registered with an
Enterprise defined on the gateway. Devices can be registered manually, where the user
enters an e-mail address, password, and license key, or automatically, where the device
is registered through a device identity server (DIS) with little or no user input.
The following registration methods are supported:
“Manual Registration of iOS Devices” on page 18
“Manual Registration of non-iOS Devices” on page 19
“Automatic Registration” on page 19
Manual Registration of iOS Devices
To register an iOS device manually, the administrator sends an e-mail to the device that
includes the following:
The download URL of the Pulse client in the iTunes App Store. The standard URL is:
http://itunes.apple.com/us/app/junoe-pulse/id381348546?mt=8
The license key (Enterprise code)
A junospulse URL that specifies the Pulse Mobile Security Gateway. Users click the link
and enter an e-mail address, password, and license key to register the device. The
default URL is:
junospulse:///?method=mss&action=autoRegister&url==https:/mss.junospulse.juni
per.net/smobile/ident/registerDevice.htm
If you know the UDID of the iOS device, you can generate the registration e-mail
automatically by adding the device to the gateway (see “Adding Devices Manually” on
page 46). The generated e-mail contains the license key, the Software Download URL
specified for the Enterprise, and the default junospulse URL. Alternatively, you can add
the user account, rather than the device, and then include the account name and
password in the registration e-mail.
Informational Note: After an iOS device is registered (manually or automatically), the
device profile must be deleted before the device can be reregistered. Users who reinstall
the Pulse client must manually delete the Juniper MDM.C profile under Settings >
General-Profiles before they can reregister the device.
18 Registering Devices Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
Manual Registration of non-iOS Devices
To register a non-iOS device manually, the administrator uses SMS or e-mail to send the
Pulse client download URL and license key (Enterprise code) to the user. If the device’s
phone number is added manually to the gateway, the license key and Software
Download URL specified for the Enterprise are sent to the user automatically over SMS
(see “Adding Devices Manually” on page 46). If you add the user account, rather than
the device, you must include the account name and password in the registration e-mail
or SMS message.
When a standard non-iOS Pulse client is started for the first time, it accesses a gateway
hosted by Juniper Networks, and the user is prompted to enter an e-mail address,
password, and license key to register the device. Branded clients can be configured to
access a customer-specific gateway.
Note the following:
Windows Mobile and Symbian devices must be registered manually.
Non-iOS tablet devices that do not support SMS cannot receive the SMS message
generated when the device is added manually to the gateway.
Automatic Registration
To register an Android, Blackberry, or iOS device automatically, the administrator
configures a device identity server (DIS) to approve each device before it is registered. If
a device is approved, it can be registered automatically or the user can be prompted for
more information (see “Configuring Device Identity Servers” on page 19).
Configuring Device Identity Servers
Juniper Networks Professional Services can help you configure a device identity server
to approve Android, iOS, and Blackberry devices before they are registered with the
Pulse Mobile Security Gateway. When the Pulse client is started, it requests the identity
server to approve the device. If the device is approved, the Pulse client can register the
device with the gateway without requiring the user to enter a license key.
The registration process using a device identity server can be customized for each
environment, but the general procedure is as follows:
1. After a user installs a standard Junos Pulse client, the administrator sends an
e-mail or SMS message that specifies a link to a web page where the user can
select a junospulse URL to access the device identity server. For rebranded Pulse
clients, the URL of the identity server is predefined, and the identity server is
accessed automatically.
Informational Note: The Blackberry Pulse client must be rebranded to access a
device identity server.
2. When the user confirms that they want to register, the Pulse client sends an
approval request to the identity server that includes the device identifiers.
3. Optionally, the identity server can prompt for information to verify the user. If the
device is approved, a Security Assertion Markup Language (SAML) assertion and
the URL of the Pulse Mobile Security Gateway are returned to the client. The SAML
assertion includes the license key needed to register the device, the device
identifiers, the user’s account name, and (optionally) a password that allows the
user to access the gateway Dashboard.
Copyright © 2012, Juniper Networks, Inc. Configuring Device Identity Servers 19
If the device is not approved, the identity server returns an error. The error can
display a customized message to be user.
4. If the identity server approves the device, the Pulse client sends the registration
request and SAML assertion to the gateway.
5. The gateway registers the device and returns a profile of settings to the device.
To encrypt the SAML assertions, the device identity server must import a certificate
from the Pulse Mobile Security Gateway, and to verify the SAML assertions, the gateway
must import a certificate from the identity server. The following topics describe how to
import the required certificates:
“Importing Certificates for Device Identity Servers” on page 20
“Importing the Certificate for the Pulse Mobile Security Gateway” on page 20
Importing Certificates for Device Identity Servers
The certificate for each Device Identity Server to be used for automatic registration
must be imported to the Pulse Mobile Security Gateway. The public key in the certificate
is needed to verify the signature in the SAML assertions sent by the identity server.
To import a certificate for a device identity server:
1. Obtain the certificate file for the device identity server in Distinguished Encoding
Rules (DER) format.
2. Log in to the Pulse Mobile Security Gateway and select the Root, a Partner, or an
Enterprise.
3. If you select an Enterprise, select the Users tab. When a device identity server is
defined for an Enterprise, only that server can approve devices for registration with
the Enterprise.
4. Click Device Identity Servers, and then click Add Device Identity Server.
5. Specify the following server properties:
Device Identity Server—Name of the identity server.
SAML Issuer—Name of the issuer that the identity server specifies in the SAML
assertions sent to approve a device.
Signing Certificate—Click Browse and select the certificate file for the identity
server.
6. Click Save to import the certificate.
Importing the Certificate for the Pulse Mobile Security Gateway
A private key and certificate for the Pulse Mobile Security Gateway must be created with
a third-party tool (such as OpenSSL) and imported to the gateway. The private key and
certificate must be saved in a PKCS12 file. The certificate file (without the private key)
must also be imported in DER format to each device identity server defined on the
gateway so that the public key in the certificate can be used to encrypt the SAML
assertions.
Informational Note: The Delete Device Identity Server role permission is required to
import the certificate.
To import the certificate for the Pulse Mobile Security Gateway:
1. Generate a private key and certificate in a PKCS12 file.
20 Configuring Device Identity Servers Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
2. Log in to the Pulse Mobile Security Gateway as a Root administrator and select the
Root in the navigation panel.
3. On the Home page, click Device Identity Servers, and then click Decryption Key and Certificate.
4. Click Choose File and select the PKCS12 file that contains the certificate and private
key for the gateway.
5. Enter the password that was used to encrypt the private key.
6. Click Save to import the certificate.
7. Import the gateway certificate file (in DER format) to each identity server to be
used for automatic registration.
Configuring C2DM and System Log Settings
The System Settings for the Pulse Mobile Security Gateway let you configure the Cloud
to Device Messaging (C2DM) service and the severity level of messages written to the
system log. C2DM provides an alternative to SMS for communicating with Android
devices (version 2.2 or later). If the C2DM service is not configured, or does not
acknowledge a command in five minutes, the communication method defaults to SMS
(database administrators can change the default wait time).
The C2DM service can be configured at the root level of the gateway and for specific
partners and enterprises. In each case, you must sign up for C2DM at:
http://code.google.com/android/c2dm/signup.html
Specify the package name as net.juniper.junos.pulse.android, and specify a unique Gmail
account as the sender account. In addition, each Android user must create a Gmail
account on the device, and then power off and power on the device.
Informational Note: The System Settings role permission is required to view or edit
the C2DM and system log settings.
To configure the C2DM and system log settings:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. On the Home page, click System Settings.
3. Specify the following information:
Setting Description
Severity At the Root level, you can select the severity level of the messages sent to
the system log. The selected level includes all messages that have a lower
severity. For example, selecting Info includes all messages except Debug.
Fatal—Critical error messages about system failures.
Error—Noncritical error messages, such as license expired.
Warn—Informational messages about minor events that are not errors
(the default).
Info—Informational messages, such as command sent.
Debug—All messages, plus detailed messages about internal
processing.
C2DM Sender Account Email
Gmail address used to send messages to Android devices.
Copyright © 2012, Juniper Networks, Inc. Configuring C2DM and System Log Settings 21
4. Click Save. You may be prompted to enter the text displayed in a CAPTCHA image.
Updating Malware Signatures
The Juniper Networks Mobile Threat Center (MTC) regularly publishes a new set of
malware signatures (virus definitions) to one or more Malware Signature Update
servers. The new signatures can be downloaded to the Pulse Mobile Security Gateway,
and then downloaded to the managed devices in all Enterprises when the devices
check-in with the gateway (non-iOS devices only).
When a new set of signatures is published, the Juniper Networks Control Center can
notify each gateway to download the new signatures from the appropriate server, or the
gateway can obtain the signatures by polling the Signature Update server.
The gateway uploads reports of the detected viruses to the Control Center for trend
analysis by the Mobile Threat Center. The devices in the virus reports remain
anonymous. Customers who install their own gateway can elect to poll the Signature
Update server without connecting to the Control Center.
To configure the gateway for automatic signature updates:
1. Log in to the gateway as [email protected].
2. Import the gateway certificate provided by Juniper Networks. You may have to
create a Certificate Signing Request to obtain the certificate
3. Import the certificates for the Control Center and Malware Signature Update server.
4. Configure the server settings for the Control Center and the Malware Signature
Update server.
Customer Support or Professional Services can provide the settings and certificates for
the Control Center and the Malware Signature Update server.
“Creating Certificates for the Pulse Mobile Security Gateway” on page 22
“Importing Certificates for the Control Center and Signature Update Server” on
page 23
“Configuring the Control Center Settings” on page 24
“Configuring the Signature Update Server” on page 24
Creating Certificates for the Pulse Mobile Security Gateway
To communicate with the Control Center, a certificate from Juniper Networks must be
imported to the gateway. Connecting to the Control Center is optional for customers
who install the gateway in their own network.
To import and maintain certificates for the gateway:
1. Log in to the gateway as [email protected].
C2DM Sender Account Password
Password of the Gmail address.
NOTE: This password must be updated whenever the password of the Gmail account is changed. If the passwords do not match, device commands are shown as failed on the Command History report, and CDM0006 : Unauthorized - need token errors are written to the Enterprise log. The failed commands will be re-sent over SMS.
C2DM Send Endpoint Name of C2DM server provided by Google when you sign up for the C2DM
service.
Setting Description
22 Updating Malware Signatures Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
2. Select Admin > Certificates in the top panel.
3. To upload an existing certificate, click Upload, specify the following, and click
Upload again:
If the certificate and private key are in one file, click Browse to select the file, and
enter the password used to encrypt the private key. The file must be in PKCS12 or
PEM format (file extension .pks, .pkcs12, .pfx, or .pem).
If the certificate and private key are in separate files, click Browse to select each
file, and enter the password used to encrypt the private key. The file must be in
DER or PEM format (file extension .der, or .pem).
4. To obtain a new certificate:
a. Click Create under Certificate Signing Requests, and specify the following
information:
Common Name—Name associated with your company.
Organizational Unit—Name of your department.
Organization Name—Name of your company/organization.
Locality—Name of the city where your organization is located.
State—Full name of your state or province.
Country—Two-letter code that identifies your country.
Key Length—Select the length of the key (1024 or 2048 bits).
b. Click Create to add the request to the list of signing requests.
c. Click the new request and follow the instructions to submit the request to a
Certificate Authority (CA).
d. When you receive the certificate, select the request again, click Browse, select
the certificate file, and click Upload. The signing request is deleted, and the
certificate is added to the list of gateway certificates.
5. To renew a certificate, select the check box next to the certificate, and click Renew.
Click Browse in the Renew Certificate window to select the certificate file, and click
Renew.
6. To download a certificate file, click the certificate, and click Download.
The CA certificate used to sign the gateway certificate must be imported to the Control
Center by Juniper Networks personnel.
Importing Certificates for the Control Center and Signature Update Server
To import the certificates for the Control Center and Signature Update Server:
1. Log in to the gateway as [email protected].
2. Select Admin > Certificates in the top panel.
3. Click the Trusted CAs tab.
4. Click Upload, select the certificate file for the Control Center, and click Upload. The
certificate is added to the list of Trusted CA certificates. Repeat this step to import
the certificate for the Signature Update server. The Control Center certificate is
optional for customers who install the gateway in their own network.
Copyright © 2012, Juniper Networks, Inc. Updating Malware Signatures 23
Configuring the Control Center Settings
When a new set of malware signatures is published to a Signature Update Server, the
Control Center administrator notifies the gateway to download the new signatures from
the appropriate server. The gateway also polls the Signature Update Server periodically
and uploads virus reports to the Control Center.
To configure the Control Center or view its connection status:
1. Log in to the gateway as [email protected].
2. Select Admin > MSG Control Center Settings in the top panel.
3. If the Control Center is configured, a colored dot next to the Control Center name
indicates whether the Control Center is connected to the gateway (green),
disconnected (red), or not enabled (grey). The gateway name used by the Control
Center and the Distinguished Name of the gateway certificate are also displayed. To
update the connection status, click Refresh Status.
4. To configure the Control Center, specify the following information, and click Save:
Configuring the Signature Update Server
To download malware signatures from a Signature Update Server, a server account
name and password must be specified on the gateway. The gateway can download
new malware signatures when it receives a notification from the Control Center, or by
polling the Signature Update Server on a selected schedule. If the Control Center
connection is disabled, the URL of the Signature Update Server must be configured
manually.
Customer Support or Professional Services can provide the URL and account
information for the Signature Update Server.
To configure the Signature Update Server or view the signature status:
1. Log in to the gateway as [email protected].
2. Select Admin > Malware Signature Settings in the top panel.
3. The status section specifies the version number of the current signature set
installed on the gateway, and the date and time of the last signature update. The
Updated By field specifies how the last signature update was initiated:
MSG Control Center—A notification from the Control Center.
MSG (Scheduled)—A scheduled poll of the Signature Update Server.
MSG (Update Now)—A user clicked Save & Update Now on this page.
To update the signature status, click Refresh Status.
Setting Description
MSG Control Center URL Specify the Control Center URL as https://mcc.junospulse.juniper.net.
MSG Certificate Select the gateway certificate used to communicate with the Control
Center. For the selected gateway certificate, a certificate for the CA that
signed the gateway certificate must be imported to the Control Center. To
create a gateway certificate, see “Creating Certificates for the Pulse
Mobile Security Gateway” on page 22.
Enabled Select the check box to enable the gateway to connect to the Control
Center. If this check box is cleared, the URL for the Signature Update
Server must be configured manually (see “Configuring the Signature
Update Server” on page 24).
24 Updating Malware Signatures Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Setting Up the Pulse Mobile Security Gateway
4. To configure the Signature Update Server, specify the following information:
5. Click Save or click Save & Update Now to save your changes and poll the server for
new signatures.
Setting Description
Signature Update Server URL If the Control Center connection is disabled, specify the URL of the
Signature Update Server.
User Name Password Specify a user name and password for the Signature Update Server.
Update Schedule Select how often the gateway polls the Signature Update Server. If
you select Never, the gateway polls the server only when prompted
by the Control Center.
Copyright © 2012, Juniper Networks, Inc. Updating Malware Signatures 25
26 Updating Malware Signatures Copyright © 2012, Juniper Networks, Inc.
Chapter 3
Device Profiles
This chapter is intended primarily for enterprise administrators who define the profiles
and policies that apply to the devices in a selected enterprise. These profiles specify
various platform-specific features that may or may not be implemented for each
enterprise.
Customer service personnel do not typically perform the tasks described in this chapter.
“Defining Prohibited Applications” on page 27
“Managing Profiles for iOS Devices” on page 28
“Managing Firewall Rules and Profiles” on page 36
“Managing Antispam Rules and Profiles” on page 38
Defining Prohibited Applications
The Pulse Mobile Security Gateway provides signatures that Android devices use to
detect malware and suspicious applications. In addition to malware signatures, which
are updated periodically, you can define a list of prohibited applications that should not
be installed on Android devices. The prohibited applications apply to all Android devices
in all Enterprises.
Informational Note: If prohibited applications are defined, applications are scanned
during installation even if the user disables scanning on the device.
Users can view and remove the malware, suspicious, and prohibited applications
discovered on their device. The gateway administrator can view the same information
for all devices on the Android Malware report (see “Viewing Reports” on page 57).
To define the prohibited applications:
1. In the navigation panel, select the Root level.
2. Select the Profiles tab, and then click Prohibited Applications.
3. To add an application to the list, click Add Prohibited Application, provide the
following information, and click Save:
Android Package Name—The package name of the application, such as
com.rovio.angrybirds (up to 100 characters).
Description—The common name of the application (up to 50 characters).
Custom Warning Message—Optional message displayed to the user when the
application is detected, such as Angry Birds is not permitted on your device.
4. To find all applications that include some specific text in the package name,
description, or warning message, enter the text in the Search box.
Copyright © 2012, Juniper Networks, Inc. Defining Prohibited Applications 27
5. To change an application, select the application, make the changes, and click Save.
To remove an application from the list, select the check box next to the application,
and click Delete.
Managing Profiles for iOS Devices
The following topics describe how to manage iOS profiles:
“Adding and Editing iOS Profiles” on page 28
“Setting the Default iOS Profile” on page 35
“Deleting iOS Profiles” on page 35
Adding and Editing iOS Profiles
For an Enterprise that includes iOS devices, you can download a default profile of iOS
settings when iOS devices register with the Enterprise. The predefined AutomaticDefault
profile, which can be changed, is created automatically for each Enterprise.
You also can create additional iOS profiles and apply them to specific devices or groups
of devices after they are registered. When you change a profile, any device that has the
profile is updated by the next synchronization with the gateway or when the next
Update Profile command is sent to the device.
To add or edit iOS profiles:
1. In the navigation panel, select an Enterprise.
2. Select the Profiles tab and then click iOS Profiles.
3. Click Add Profile to add a new profile or select an existing profile that you want to
change. Selecting the check box next to a profile and clicking Copy adds a copy of
the profile to the end of the profile list named copy-of-<name>, which you can
modify as needed. If a profile is copied multiple times, the copied names start with
copy2-of-, copy3-of-, and so on.
Informational Note: Changing a profile that is used by a device requires both the
Edit Profile and Edit Device user privileges.
4. Specify the settings in each of the following sections of the profile by clicking the
section name in the left frame. To save the changes In each section, click Save
before selecting another section.
“General Settings” on page 29
“Exchange ActiveSync Settings” on page 29
“Security & Control” on page 30
“VPN Settings” on page 32
“Authentication Settings” on page 33
“Connectivity Settings” on page 33
“Tracking” on page 35
28 Managing Profiles for iOS Devices Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Device Profiles
General Settings
The general settings in an iOS profile specify the profile name and a description of the
profile.
Click Save to save the settings.
Exchange ActiveSync Settings
The Exchange settings in an iOS profile can synchronize the e-mail account on a iOS
device with the e-mail account on a Microsoft Exchange server. The synchronized
information includes the inbox, outbox, draft folder, and list of contacts.
Click Save to save the settings.
Setting Description
Name Specify the name of the iOS profile (up to 50 characters). The name is the
only required information for a new profile, and it must be unique.
Description A description of the profile’s purpose (up to 300 characters).
Setting Description
Require exchange setting on device
Select the check box to configure a Microsoft Exchange e-mail account on
the device using the registered user name and the specified domain name.
For example, if the user account on the Pulse Mobile Security Gateway is
[email protected] and the specified domain name is juniper.com, the user
is prompted for a password for the Exchange account [email protected].
Clearing this check box excludes Exchange settings from the profile.
Domain Specify the domain name of the Microsoft Exchange account.
Exchange ActiveSync Host
Specify the name of the Microsoft Exchange server used by the device. The
server name cannot include spaces.
Allow Move (iOS 5 only)
Select the check box to allow messages sent or received by this account to
be moved to a different mail account. Also allows using another account to
reply to or forward a message from this account.
Use Only in Mail (iOS 5 only)
Select the check box to allow only the Mail application to send messages
from this account. Messages created by other applications, such as Photos
or Safari, cannot be sent from this account.
Use SSL Select the check box to use SSL to secure the data sent from the Microsoft
Exchange server to the iOS device. If you clear this check box, the data is not
encrypted.
Copyright © 2012, Juniper Networks, Inc. Managing Profiles for iOS Devices 29
Security & Control
The Security & Control settings in an iOS profile specify the password requirements and
other user restrictions.
Passcode
Click the Passcode tab to specify the following settings:
Click Save to save all changes to the passcode and restriction settings.
Restrictions
Click the Restrictions tab to specify the following settings:
Setting Description
Require passcode on device
Select the check box to require the user to create a passcode before the
profile can be installed. Users must enter the passcode to unlock or power
on the device. The passcode also is used to encrypt application data on the
device.
Auto-lock Select the number of minutes (1 to 5) that a device can be inactive before it
is locked. To unlock a locked device, the user must enter the passcode. The
default (none) disables the auto-lock feature.
Grace period for device lock Select the maximum amount of time that a device can be locked without
requiring a passcode to unlock it. The default (none) indicates a passcode is
always required to unlock the device.
Maximum number of failed attempts
Select the maximum number of consecutive invalid passcode entries
allowed before all data on the device is erased. The default (none)
indicates the device’s data is never erased due to invalid passcode entries.
Allow simple value Select the check box to allow a passcode to contain repeated or sequential
characters.
Passcode history Specify the number of subsequent unique passcodes required (1 to 50)
before a passcode can be repeated. A zero indicates that a passcode can be
repeated without restrictions (the default).
Require alphanumeric value
Select the check box to require a passcode to contain at least one letter or
number.
Minimum passcode length Select the minimum number of characters required in a passcode. The
default (none) indicates a passcode has no minimum length.
Minimum number of complex characters
Select the minimum number of non-alphanumeric characters required in a
passcode, such as $ and &. The default (none) indicates that
non-alphanumeric characters are not required.
Maximum passcode age Enter the maximum number of days (1 to 730) a passcode can be used
before the user is prompted to change it. The default (zero) indicates the
same passcode can be used indefinitely.
Setting Description
Require restrictions on device
Indicates whether the selected restrictions are applied to the device.
Clearing this check box disables the selected restrictions, if any.
Allow installing apps Indicates whether users can install applications. Clearing this check box
removes the App Store icon from the Home screen, and prevents users
from installing or updating applications from the App Store or iTunes.
Allow use of camera Indicates whether the camera is enabled. When this option is off, the
Camera icon is removed from the Home screen, and users cannot take
photographs or videos, or use FaceTime. If the camera is enabled, you can
select Allow FaceTime to enable video phone calls.
Allow screen capture Indicates whether users can save a screenshot of the display.
30 Managing Profiles for iOS Devices Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Device Profiles
Click Save to save all changes to the passcode and restriction settings.
Allow automatic sync while roaming
Indicates whether push operations occur automatically outside the
device’s home area. Clearing the check box can avoid roaming charges
while still allowing users to obtain updates by manually accessing their
iTunes or other accounts.
Allow voice dialing Indicates whether users can dial phone numbers using voice commands.
Allow in-app purchase Indicates whether users can make purchases on line.
Force encrypted backups Indicates whether device backups using iTunes are encrypted.
Ratings regions Select the local country to determine the rating scheme used for movies TV
shows, and applications.
Allowed content ratings Select the maximum ratings for movies, TV shows, and applications
allowed on the device. You can also allow or disallow all movies, TV shows,
and applications.
Allow use of YouTube Indicates whether users can access YouTube on the device. Clearing this
check box disables YouTube and removes the YouTube icon from the Home
screen.
Allow use of the iTunes Music Store
Indicates whether users can access the iTunes Store on the device. Clearing
this check box disables iTunes, removes the iTunes icon from the Home
screen, and prevents users from previewing, purchasing, or downloading
content.
Allow use of Safari Indicates whether users can access the Safari web browser on the device.
Clearing this check box disables the Safari application, removes the Safari
icon from the Home screen, and also prevents users from opening web
clips. If the browser is enabled, you can specify the following options:
Enable auto-fill—Indicates whether web forms can be filled in
automatically based on previous entries.
Force fraud warning—Indicates whether a warning is displayed when
users visit websites identified as fraudulent or compromised.
Enable JavaScript—Indicates whether JavaScript is executed.
Enable plugins—Indicates whether plugin modules are allowed.
Block popups—Indicates whether popup windows are displayed.
Accept cookies—Select when the browser accepts cookies (always,
never, or only from visited websites).
Allow explicit music & podcasts
Indicates whether explicit music or video content purchased from the
iTunes Store is hidden on the device.
Allow backup (iOS 5 only)
Indicates whether personal data is backed up automatically on iCloud.
Allow document sync (iOS 5 only)
Indicates whether iWorks documents are backed up automatically on
iCloud.
Allow Photo Stream (iOS 5 only)
Indicates whether photos and screenshots taken with the device are
uploaded automatically to iCloud for distribution to the user’s other
devices.
Caution: If this option is disabled, existing Photo Stream photos are
deleted from the device, and photos on the Camera Roll cannot be sent to
Photo Stream.
Setting Description
Copyright © 2012, Juniper Networks, Inc. Managing Profiles for iOS Devices 31
VPN Settings
The VPN settings in an iOS profile specify one or more VPN policies. Each policy
identifies a VPN server that an iOS device can connect to for secure access to a private
network. In this release, the VPN server must be a Juniper Networks SA Series device.
To add or change the VPN settings:
1. Click Add to add a new policy or select an existing policy from the Current VPN list
that you want to change or copy. Clicking Copy creates a copy of the displayed
policy and inserts Copy-of- before the Connection Name.
2. Specify the following VPN settings for the policy, and click Save. Saving a new or
copied policy adds its Connection Name to the Current VPN list.
Setting Description
Connection Name Specify the name of the VPN policy (up to 50 characters). The name is
displayed on the device and must be unique.
Connection Type Select the type of VPN. In this release, the VPN server must be a Juniper
Networks SA Series device, and the connection type must be Juniper SSL.
Server Specify the host name (up to 50 characters) or the IP address of the VPN
server.
Realm Specify the name of an authentication realm defined on the SA Series
device (up to 50 characters). The realm defines the server used to
authenticate the iOS device.
Role Specify the name of the user role defined on the SA Series device (up to
50 characters). The user role defines the network resources the iOS
device can access.
User Authentication Select the method used to authenticate users on the VPN server:
Password—Enter a valid username and password (up to 50 characters
each) for an account on the VPN server.
Certificate—Select a certificate from the Identity Certificate list and
specify a valid username. To add certificates to the list, see
“Authentication Settings” on page 33.
Enable VPN On Demand If you select Certificate for the authentication method, you can select the
check box to enable a VPN automatically when the user accesses specific
hosts or domains. To specify the first host or domain:
Match Domain or Host—Enter a hostname or a partial domain name
(up to 100 characters). For example, if you enter example.com, a
match occurs when the user accesses any domain that ends with
example.com, such as www.test-example.com.
On Demand Action—When a match occurs on the specified host or
domain, select whether a VPN is always established, never established,
or only if the DNS look-up fails (Establish If Needed). Selecting Never
Establish does not prevent an existing VPN from being used. To add
another domain, click the + button. To remove a domain, select the
check box next to the domain and click the - button.
32 Managing Profiles for iOS Devices Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Device Profiles
Authentication Settings
The Authentication settings in an iOS profile specify one or more policies that allow the
device to obtain certificates from a certification authority (CA) using the Simple
Certificate Enrollment Protocol (SCEP). Each policy identifies a SCEP server that an iOS
device can access to obtain certificates.
To add or change the SCEP settings:
1. Click Add to add a new policy, or select an existing policy from the Current SCEP
Rule list that you want to change or copy. Clicking Copy creates a copy of the
displayed policy and inserts Copy-of- before the CA name.
2. Specify the following settings for the policy, and click Save. Saving a new or copied
policy adds its name to the Current SCEP Rule list.
Connectivity Settings
The Connectivity settings in an iOS profile specify one or more Wi-Fi rules. Each rule
specifies a wireless network that the iOS device can access.
To define the Wi-Fi rules:
1. Click Add to add a new rule or select an existing rule from the Current Wi-Fi Rule list
that you want to change or copy. Clicking Copy creates a copy of the displayed rule
and inserts Copy-of- before the wireless ID.
Setting Description
URL Specify the URL of the SCEP server (up to 100 characters).
Name Specify the name of a certificate authority instance (up to 50
characters). This name can be used to distinguish different certificates
obtained from the same SCEP server.
Subject Specify the subject of the certificate in X.500 format, with object IDs and
values separated by slashes (up to 100 characters). For example,
/C=US/O=Juniper Networks/CN=foo/1.2.5.3=bar.
Subject Alternative Name Type
If the CA requires an alternative subject name, select the name type:
RFC-822 name (an e-mail address), DNS server name, or Uniform
Resource Identifier.
Subject Alternative Name Value
Specify an alternative subject name for the selected name type (up to
100 characters).
NT Principal Name Specify an NT Principal name for use in the certificate request, if required
by the CA (up to 100 characters).
Challenge Specify the password required by the SCEP server, if any (up to 50
characters).
Key Size Select the number of bits in the key (1024 or 2048), and select the
following options to indicate how the key is used:
Use as digital signature—Indicates the key is used for the digital
signature.
Use for key encipherment—Indicates the key is used for key encryption.
Fingerprint If the CA uses HTTP, rather than HTTPS, enter the fingerprint of the CA’s
certificate (up to 100 characters), which the device uses to confirm the
authenticity of the CA’s response during the enrollment process. You can
enter a SHA1 or MD5 fingerprint, or create an SHA1 fingerprint from a
certificate by clicking Browse and selecting the certificate file. The
certificate must be in PEM format, with a file extension of .pem, .crt, .cer,
or .key.
Copyright © 2012, Juniper Networks, Inc. Managing Profiles for iOS Devices 33
2. Specify the following settings for the policy, and click Save. Saving a new or copied
rule adds its wireless ID to the Current Wi-Fi Rulelist.
3. If you select an enterprise Security Type, click the Protocols, Authentication, and
Trust tabs to specify the Enterprise Settings:
Protocols
Specify the following settings and click Save before selecting another tab.
Authentication
Specify the following settings and click Save before selecting another tab.
Setting Description
Server Set Identifier Specify the ID of the wireless network (up to 32 characters).
Security Type Select the type of authentication used by the network, and specify the
password or Enterprise settings, as required:
None—No authentication required.
WEP—Wired Equivalent Privacy used for a non-enterprise network.
Enter the password in the displayed text box.
WPA/WPA2—Wi-Fi Protected Access used for a non-enterprise
network. Enter the password in the displayed text box.
Any (Personal)—WEP, WPA, or WPA2 used for a non-enterprise
network. Enter the password in the displayed text box.
WEP Enterprise—WEP used for an enterprise network. Enterprise
networks use the IEEE 802.1X authentication methods. Specify the
Enterprise settings in Step 3.
WPA/WPA2 Enterprise—WPA or WPA2 used for an enterprise network.
Specify the Enterprise settings in Step 3.
Any (Enterprise)—WEP, WPA, or WPA2 used for an enterprise network.
Specify the Enterprise settings in Step 3.
Hidden Network Select the check box if the network does not broadcast its identity.
Setting Description
Accepted EAP Types Select the Extensible Authentication Protocol (EAP) protocols
supported by the network’s RADIUS authentication server.
Inner Authentication If you select the TTLS protocol, select the protocol used to authenticate
the username and password (PAP, CHAP, MSCHAP, or MSCHAPv2).
EAP-Fast Optionally, select the following check boxes to allow the authentication
server to use a Protected Access Credential (PAC) to establish a tunnel
between the server and the iOS device:
Use PAC—Enables the use of a PAC.
Provision PAC—Allows the PAC to be applied to the iOS device
(required if Use PAC is enabled)
Provision PAC Anonymously—Allows the server to establish the tunnel
without a server certificate (no server authentication).
Setting Description
Username Enter a valid username (up to 50 characters) for an account on the
authentication server.
Use Per-Connection Password
Select the check box to include the password for each connection.
Password Enter a password (up to 50 characters) for the specified username.
34 Managing Profiles for iOS Devices Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Device Profiles
Tracking
For iPhones and iPads with 3G support running iOS 4.2 and higher, you can specify how
often the device reports its GPS coordinates to the gateway (the default is once a day).
You can also disable the GPS updates. To change or disable GPS updates, select the
appropriate option from the GPS Update Period list and click Save.
Informational Note: If GPS updates are disabled and then re-enabled, it may take up
to 48 hours for the GPS updates to resume.
The last reported location of a device can be viewed on the GPS Tracking Report (see
“Tracking Devices with GPS” on page 60).
Setting the Default iOS Profile
The default iOS profile is applied to iOS devices when they register with the Enterprise.
You can edit the predefined AutomaticDefault profile or you can select another profile
as the default. To change the selected default profile, you must have the Edit Enterprise
Settings user privilege.
To change the selected default iOS profile:
1. In the navigation panel, select an Enterprise.
2. Select the Profiles tab and then click iOS Profiles.
3. Select the check box next to the profile that you want to use as the default iOS
profile for the Enterprise.
4. Click Set Default.
5. In the last column of the table, Default is shown next to the selected profile.
Changing the default profile affects only devices that register after the default
profile is changed.
Deleting iOS Profiles
Deleting an iOS profile removes it from the profiles list. If a deleted profile is used by one
or more iOS devices, you are prompted to confirm the deletion. Any iOS devices in the
Enterprise that have a deleted profile are sent an InstallProfile command to install the
current default profile.
To delete the default profile, you must first select another iOS profile as the default.
However, the initial AutomaticDefault profile created automatically for each Enterprise
cannot can be deleted.
To delete one or more iOS profiles:
1. In the navigation panel, select an Enterprise.
2. Select the Profiles tab and then click iOS Profiles.
3. Select the check box next to each profile you want to delete.
4. Click Delete.
Outer Identity When the TTLS, PEAP, or EAP-FAST protocol is used, you can specify an
alternate username to be used outside the encrypted tunnel, such as
anonymous (up to 50 characters). This increases security by concealing
the user’s identity in unencrypted packets.
Setting Description
Copyright © 2012, Juniper Networks, Inc. Managing Profiles for iOS Devices 35
Managing Firewall Rules and Profiles
The Pulse Mobile Security Gateway uses profiles to apply firewall policies to Windows
Mobile and Symbian devices. You create firewall rules, group the rules into profiles, and
then apply the profiles to an Enterprise or specific devices. Profiles assigned to an
Enterprise are applied to new devices when they register with the Enterprise.
You can define firewall rules and profiles at the Root, Partner, and Enterprise levels.
Enterprise administrators can assign profiles that were created at the Partner or Root
level, but Enterprise administrators cannot change those profiles.
Adding Firewall Rules
To add a firewall rule:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Firewall Rules.
3. Click Add Rule, and specify the following information:
4. Click Save to save the rule.
Modifying Firewall Rules
You can modify a firewall rule only at the level where it was created. For example, if a
rule was created at the Partner level, you must be a Partner administrator to modify the
rule. Modifying a rule affects all firewall profiles that include the rule. Any device that has
an affected profile is updated by the next synchronization with the gateway or when the
next Update Profile command is sent to the device.
To modify a firewall rule:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Firewall Rules.
3. Click the rule that you want to change.
4. When you finish editing the rule, click Save to save the rule.
Setting Description
Name The name of the firewall rule (up to 50 characters). The name and IP
address are required for a new rule, and the name must be unique.
Description A description of the rule’s purpose (up to 100 characters).
Type The action the rule performs (Allow or Block) on traffic that matches the
specified IP address, port numbers, and direction. The default is Disable,
which deactivates the rule until you change it to Allow or Block. The rule
also has no effect if the IP field or a port field is left blank.
IP The IPv4 address of the traffic in dotted decimal format (such as
10.100.10.1). An address can include asterisks (*) to indicate any value from
0 to 255 (such as 10.*.10.*).
Min Port and Max Port The port number range (0 to 65535) of the traffic. For a single port, enter
the same port number in both fields.
Direction The traffic direction (In, Out, or Both).
36 Managing Firewall Rules and Profiles Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Device Profiles
Deleting Firewall Rules
Use caution when deleting a rule. Deleting a rule removes it from the rules list and from
all firewall profiles.
To delete one or more rules:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Firewall Rules.
3. Select the check box next to each rule you want to delete and click Delete, or click
the delete icon next to each rule.
Adding Firewall Profiles
Before you create a profile, you should define all of the firewall rules that you want to
include in the profile.
To add a firewall profile:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Firewall Profiles.
3. Click Add Profile, and provide the following information:
Name—The name of the firewall profile (up to 50 characters). The name is the
only required information for a new profile, and it must be unique.
Description—A description of the profile’s purpose.
Rules—Lists the names of firewall rules. Select the rules you want to add to the
profile, and click Add. To remove rules from the profile, select the rules from the
list on the right, and click Remove.
4. Click Save to save the profile.
Modifying Firewall Profiles
You can change a profile’s name, description, or rules. Any device that has the changed
profile is updated by the next synchronization with the gateway or when the next
Update Profile command is sent to the device.
To modify a firewall profile:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Firewall Profiles.
3. Click the profile you want to change.
4. Change the name or description, or use the Add and Remove buttons to change
the rules in the profile.
5. When you finish editing the profile, click Save.
Deleting Firewall Profiles
Use caution when you delete profiles. Deleting a profile removes it from the profiles list,
and any Enterprise or device that specified the profile is reset to No Profile.
To delete one or more profiles:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Firewall Profiles.
3. Select the check box next to each profile you want to delete, and click Delete.
Copyright © 2012, Juniper Networks, Inc. Managing Firewall Rules and Profiles 37
Managing Antispam Rules and Profiles
The Pulse Mobile Security Gateway enforces antispam policies through profiles. You
create antispam rules to block incoming phone calls or SMS messages, group the rules
into profiles, and then apply the profiles to an Enterprise or specific devices. Profiles
assigned to an Enterprise are applied to new devices when they register with the
Enterprise.
You can define Antispam rules and profiles at the Root, Partner, and Enterprise levels.
Enterprise administrators can assign profiles that were created at the Partner or Root
levels, but Enterprise administrators cannot change those profiles.
Adding Antispam Rules
To add an antispam rule:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Antispam Rules.
3. Click Add Rule, and specify the following information:
Phone Number—The phone number of incoming calls or messages that you want
to block. This is the only required information.
Description—Provides more information about the rule.
Active—Toggles the status of the rule. The default setting is active.
Block Type—Select whether the specified phone number is blocked for incoming
phone calls, SMS messages, or both. Blocked phone calls are diverted to
voicemail.
1. Click Save to save the rule.
Modifying Antispam Rules
Modifying a rule affects all antispam profiles that include the rule. Any device that has
an affected profile is updated by the next synchronization with the gateway or when the
next Update Profile command is sent to the device.
To modify a rule:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Antispam Rules.
3. Click the rule that you want to edit to open the edit dialog box.
4. When you finish making changes, click Save.
Deleting Antispam Rules
Use caution when deleting a rule. Deleting a rule removes it from the rules list and from
all antispam profiles.
To delete one or more rules:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Antispam Rules.
3. Select the check box next to each rule you want to delete and click Delete, or click
the delete icon next to each rule.
38 Managing Antispam Rules and Profiles Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Device Profiles
Adding an Antispam Profile
Before you create an antispam profile, you should define all of the antispam rules that
you want to include in the profile.
To add an antispam profile:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Antispam Profiles.
3. Click Add Profile, and specify the following information:
Name—The name of the profile (up to 50 characters). The name is the only
required information for a new profile, and it must be unique.
Description—A description of the profile.
Rules—Lists the phone numbers of the antispam rules. Select the rules you want
to add to the profile, and click Add. To remove rules from the profile, select the
rules from the list on the right, and click Remove.
4. Click Save to save your changes.
Modifying an Antispam Profile
You can change a profile’s name, description, or rules. Any device that has the changed
profile is updated by the next synchronization with the gateway or when the next
Update Profile command is sent to the device.
To modify an antispam profile:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Antispam Profiles.
3. Click the profile you want to edit to open the edit dialog box.
4. Change the name or description, or use the Add and Remove buttons to change
the rules in the profile.
Deleting Antispam Profiles
Use caution when you delete a profile. Deleting a profile removes it from the profiles list,
and any Enterprise or device that specified the profile is reset to No Profile.
To delete one or more profiles:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. Select the Profiles tab and then click Antispam Profiles.
3. Select the check box next to each profile you want to delete, and click Delete.
Copyright © 2012, Juniper Networks, Inc. Managing Antispam Rules and Profiles 39
40 Managing Antispam Rules and Profiles Copyright © 2012, Juniper Networks, Inc.
Chapter 4
User Accounts
This chapter describes how to create and manage user accounts. It is intended for both
enterprise administrators and customer service personnel. Typically, customer service
personnel often modify and delete user accounts, but do not manage user groups.
“Managing User Accounts” on page 41
“Managing User Groups” on page 43
Managing User Accounts
A user account is created automatically when a device is registered with the Pulse
Mobile Security Gateway. The e-mail address and password entered during a manual
registration also can be used to log in to the gateway Dashboard. For an automatic
registration, the account name and password are manually defined on the gateway or
supplied by a device identity server, in which case the administrator can send the
account information to the user.
An Enterprise setting can require administrators to manually create a user account
before the user is allowed to register. Typically, user accounts are created automatically
and administrator accounts are created manually. You also can create an administrator
account by assigning an administrator role and user control list to an existing user
account.
Adding a User Account
To create a user account:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. If you select an Enterprise, click the Users tab. If you select the Root or a Partner,
click User Accounts.
3. Click Add User Account and specify the following information:
First Name—First name of the user.
Last Name—Last name of the user.
User Name—Name used to log in to the gateway. The user name must be an
e-mail address.
Password and Confirm Password—Passwords must contain at least 8 characters
and cannot include the username.
4. Click Save to save the account.
To grant administrator privileges to a user account, you must define a user role, assign
the role to the account, and then specify a user control list (see “Adding Administrator
Accounts” on page 15).
Copyright © 2012, Juniper Networks, Inc. Managing User Accounts 41
Modifying User Accounts
For any user account, you can change the password, login name, account expiration
date, or account status. A common task is to reset a forgotten password. Users can
modify their own account by clicking My Account in the top panel.
To modify a user account:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
If you select an Enterprise, click the Users tab. If you select the Root or a Partner, click
User Accounts.
2. To limit the user list to specific criteria, click Add Filter, select a field to search and a
comparison operator (such as Equal To), and then enter a value and click Run Report. To remove the filter, click the Users tab or click the delete icon and click Run
Report.
For example, to view all users with gmail in the login name, click Add Filter, select
the Username field, select Like as the comparison operator, enter gmail as the
value and click Run Report.
3. Click the user account, and edit the following as required:
First Name—First name of the user.
Last Name—Last name of the user.
Username—The username must be an e-mail address.
Account Expiration Date—Click the calendar icon to select an expiration date for
the account. When the account reaches its expiration date, the status changes to
Deactivated, the user cannot log in to the gateway, and the user’s devices do not
receive virus definition updates.
Status—Choose one of the following:
Active—User can log in to the gateway, and the user’s devices can receive
updates from the gateway.
Locked—User cannot log in to the gateway. If Account Lockout is enabled,
this status is set after three unsuccessful login attempts.
Deactivated—User cannot log in and device updates stop.
New Password and Confirm Password—Specify a new password for this user
account. Make note of the password so that you can communicate it to the user.
Passwords must contain at least 8 characters and cannot include the username.
4. Click Save to save the account.
Deleting a User Account
To delete a user account:
1. In the navigation panel, select the Root, a Partner, or an Enterprise.
2. If you select an Enterprise, click the Users tab. If you select the Root or a Partner,
click User Accounts.
3. Select the check box next to the user accounts that you want to delete., and click
Delete.
42 Managing User Accounts Copyright © 2012, Juniper Networks, Inc.
Chapter 4: User Accounts
Managing User Groups
User groups provide a convenient way to organize users and to send commands to all
the devices registered by the users in a group.
To create a new user group:
1. Select the Enterprise in the navigation panel.
2. Select the Users tab and click User Groups.
3. Click Add User Group and specify the user group properties:
Name—A unique group name.
Notes—Additional information about the group.
4. Click Save to save the group and close the window.
To add users to one or more user groups:
1. Select the Enterprise in the navigation panel.
2. Select the Users tab.
3. Select the check box for each user you want to add to a group.
4. Click Move To to open the Move To dialog box.
5. Select the target user groups, and then click Move.
Copyright © 2012, Juniper Networks, Inc. Managing User Groups 43
44 Managing User Groups Copyright © 2012, Juniper Networks, Inc.
Chapter 5
Devices
This chapter describes how to add devices to the Pulse Mobile Security Gateway and
manage them remotely from the management Console. These functions and
commands may be executed by enterprise administrators or customer service
personnel, as described in the following sections:
“Devices Overview” on page 45
“Adding Devices Manually” on page 46
“Modifying Device Settings” on page 46
“Applying iOS Profiles to Devices” on page 53
“Sending Device Commands” on page 54
“Backing Up and Restoring Personal Data” on page 56
“Managing Device Groups” on page 56
As noted in the following sections, customer service personnel typically perform only a
small subset of these tasks, such as adding devices manually, modifying some device
settings, and sending certain commands.
Devices Overview
Mobile devices are added to the Pulse Mobile Security Gateway when users register the
Pulse Mobile Security Suite software. Typically, users install the Junos Pulse Mobile
Security Suite software from their phone’s application store, and then register the
software by confirming a registration prompt or entering the license key provided by the
gateway administrator.
The device record and user account can be added to the gateway in advance or they can
be created automatically when a device is registered. Devices are managed by sending
commands to devices and modifying device settings. You can also organize devices into
groups, view reports for a specific group, and send commands to the devices in one or
more device groups.
Copyright © 2012, Juniper Networks, Inc. Devices Overview 45
Adding Devices Manually
Devices can be registered by manually adding them to the gateway. When you add a
device, the gateway sends an SMS message to non-iOS devices or an e-mail to iOS
devices. The message includes a license key, the Software Download URL specified in
the Enterprise Settings page, and, for iOS devices, a registration link to the gateway.
Customer service personnel and enterprise administrators may need to add devices
manually if automatic-registration fails for any reason, or if manual registration is the
preferred method for an enterprise.
After the Pulse client is downloaded, the user is prompted for an e-mail address,
password, and license key to register the device (iOS users must click the registration
link). Windows Mobile and Symbian device users can enter just the license key to
register, in which case the IMEI number is used for the e-mail address (imei @a.a) and
password.
Informational Note: Non-iOS tablet devices must support SMS to receive the URL
and license key from the gateway.
To add a device manually:
1. Select the Enterprise in the navigation panel.
2. Select the Devices tab, click Add, and specify the following:
Phone Number—For non-iOS devices, enter the phone number of the device,
including the country code and area code. For example, 1603555121For iOS
devices, leave this field blank.
Operating System—Select the operating system used on the device. If you select
iOS, you must also specify the following:
− Email -Enter an e-mail address for the device.
− UDID -Enter the Unique Device Identifier (UDID) for the device.
3. Click Save. The gateway uses SMS or e-mail to send a Pulse download link and
license key to the device.
Modifying Device Settings
Enterprise administrators and customer service personnel can change the default
device settings to enable additional features or resolve device and user issues. For
customer service representatives, the key settings are among those in the General Settings category described below.
Informational Note: Not all settings apply to all device types. For example, only the
General Settings, Handset Settings, and GPS Update Period apply to iOS devices.
To view and manage device settings:
1. Select the Enterprise in the navigation panel.
2. Select the Devices tab.
3. To view only devices that match specific criteria, select the field to be searched
from the Filter by list, enter or select a value, and click Search. The Device ID
selection searches all possible device ID fields (DID, ESN, IMEI, IMSI, and UUID).
46 Adding Devices Manually Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Devices
Wildcard characters (such as * and ?) are not supported, but a match occurs on
any field that contains the specified value. For example, to view all devices with
phone numbers that start with 1614, select Device ID, enter 1614 as the value, and
click Search. To remove the filter, click the Devices tab.
4. In the Devices list, click a device to view and change the device settings. When you
finish making changes, click Save Changes to apply your changes. You can view
and edit the following device settings:
Setting Description
General Settings
User Username created when the device is registered. If necessary, you
can select another e-mail address to change the device user.
Phone Number Device phone number (MSISD number). If the phone number
changes, enter the new number here, including the country code
and area code.
For tablet devices that do not have a phone, this field is blank and
the device name is shown in the Phone/ID field on the Devices
page.
Device Type Description of the device type. If this field is left blank, the device
operating system is shown in the Device Type column on the
Devices page.
Operating System Operating system of the device.
Junos Pulse Version of the Junos Pulse client installed on the device.
Status The status can be any of the following:
Registered—The device is active.
Not Registered—The device was added to the gateway
manually, and the user has not initiated the registration process
through the client software.
Suspended—The device cannot communicate with the gateway
(assigned manually).
Deactivated—Same as the Suspended status.
Denied—The device is registered, but the device profile could not
be installed because the Topic value in the MDM device settings
does not match the User ID in the Subject field of the certificate
used by the gateway (iOS devices only).
Pending—The device is registered, but the installation of the
device profile is still pending (iOS devices only). If iOS devices
are registered before an APNS certificate is installed, their status
is Pending on the gateway, but Registered on the device. After
the APNS certificate is uploaded to the Enterprise, you must
notify registered iOS users to uninstall and reinstall the Pulse
client.
iOS Profile Profile that contains the rules that are applied to an iOS device. Use
the list box to select the profile. If you select the blank entry from
the profile list, a RemoveProfile command is sent to the device to
delete the current iOS profile.
NOTE: Note: The device iOS profile must be deleted before a device can be reregistered. Registered users who reinstall the Pulse client must manually delete the Juniper MDM.C profile under Settings > General-Profiles.
UUID Universally unique identifier of the device.
Copyright © 2012, Juniper Networks, Inc. Modifying Device Settings 47
IMEI International Mobile Equipment Identity is a number that identifies
each GSM and WCDMA mobile phone. The number is usually
printed inside the battery compartment of the device. For tablet
devices that do not have a Device Identifier (DID), this field
contains an ID number generated by the gateway during
registration.
IMSI The International Mobile Subscriber Identity is a unique number
associated with GSM and UMTS network phone users.
ESN The Electronic Serial Number is used for cell phone tracking and
activation in wireless carrier networks.
DID Device Identifier (same as the iOS UDID).
Update Schedule Select how often the device settings on the gateway, including virus
definitions, are synchronized with the settings on non-iOS devices.
Select never to disable synchronization with the gateway. If users
specify a different update schedule on the device, it will be
overwritten during the next synchronization.
For iOS devices, specify a check-in period in the Enterprise settings
(see “Editing the Default Enterprise Policy Settings” on page 9).
Android Malware Scan Interval Select Hours (1 to 72) or Minutes (1 to 999) and enter the number
of hours or minutes between scans for malware on Android devices.
To disable malware scanning, enter zero.
Expiration Date Date the license expires. The expiration date cannot exceed 2031.
License Created Date Date and time the license was created.
License Modified Date Date and time the license was modified.
Last Command Sent Date and time of the last command sent to the device (iOS devices
only).
Last Virus Update Date Date and time of the last update of the virus definitions (non-iOS
devices only).
Last Sync Date Date and time of the last synchronization of the gateway settings
with the settings on the device.
Notes Displays information retrieved from the device at registration time.
You can enter additional notes, as needed.
UI Mode Indicates the Junos Pulse features available to users of Android and
Blackberry devices. Select one of the following:
Full UI—Includes all features of the Junos Pulse client.
Minimal UI—Includes only a Splash screen, license screen, and a
Home screen with an About button. Detected viruses, malware,
and prohibited applications are deleted automatically, and
suspicious applications are displayed to the user so they can be
deleted or allowed. If a device does not support automatic
deletion of applications, the Scan Results page is displayed
periodically until the offending applications are deleted
manually.
Security UI—Includes all Junos Pulse features, except the ability
to define VPN connections to private networks. Users can scan
for viruses and malware, view scan results, back up data, and so
on.
Setting Description
48 Modifying Device Settings Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Devices
UI Button Mode
(service bundle)
For Android and Blackberry devices, if the UI Mode is Full UI or
Security UI, the following features can be active or inactive, and
visible or hidden on the device and Dashboard. Active features can
be hidden to simplify the user interface. Inactive/Visible features
are grayed out so that users can select them to purchase the
feature. Professional Services can customize the URL associated
with grayed out buttons or text and assist you with enabling
features programmatically through the gateway API.
Select the activation status for each of the following:
Anti Virus—The Active/Visible selection displays a Scan/Threats
Detected button and a Security Settings selection on the device
so that users can start a scan or change the default scan and
virus update settings. On the Dashboard home page, an
Anti-Virus Activity section is displayed with an event count that
users can select to view the list of events.
The Active/Hidden selection hides the feature on the device and
Dashboard, but viruses, malware, and prohibited applications
are detected on the device and deleted automatically or the user
is prompted to remove them.
Backup—The Active/Visible selection displays a Backup button
on the device and a Backup and Restore button on the
Dashboard. Users can back up their personal contacts and
calendar from the device, but they must use the Dashboard (or
contact an administrator) to restore the last backup. The
Active/Hidden selection has the same effect as Inactive/Hidden.
Monitor & Control—The Active/Visible selection displays the
Remote Monitoring button on the device so that users can view
which items are monitored and whether GPS tracking is enabled.
The Dashboard is updated as follows:
− The Remote Monitoring section is displayed on the home
page with counts of the monitored messages, calls,
applications, and photographs that users can select to view
lists of each item.
− The Alert Setup tab allows users to set up alerts based on the
message content (if messages are monitored).
− The Reports tab allows users to view a Text and Email
Monitoring report.
− The Settings page allows users to change the default monitor
and control options for a device.
The Active/Hidden selection hides the feature on the device and
Dashboard, but allows an administrator to view the device
activity logs (see “Viewing the Applications, Contacts, Pictures,
and Messages on Managed Devices” on page 60).
Setting Description
Copyright © 2012, Juniper Networks, Inc. Modifying Device Settings 49
Anti Theft—The following buttons can be displayed on the
Dashboard home page. If any of these buttons is visible, an Anti
Theft button is displayed on the device that allows users to view,
and optionally change, the status of each feature. Active/Visible
features are shown as enabled; Inactive/Visible features are
shown as disabled. The Active/Hidden and Inactive/Hidden
selections have the same effect.
− Wipe Device—The Active/Visible selection allows Dashboard
users to erase personal data from a device, depending on the
device type (see “Personal Data Erased by Handset Wipe
Command” on page 64).
− Lock/Unlock Device—-The Active/Visible selection allows
Dashboard users to lock or unlock a device.
− Scream Locate—The Active/Visible selection allows
Dashboard users to enable an alarm to help locate a device in
the immediate area.
− Locate Device—The Active/Visible selection allows
Dashboard users to enable GPS reporting on a non-iOS device
and view the device’s location on a map. To view the location
of an iOS device, an administrator must enable GPS reporting
on the device.
− Custom Button—The Active/Visible selection displays a
customized button on the home page of the device and
Dashboard that users can select to purchase or cancel
optional features. The Inactive/Visible selection also displays
the button. Professional Services can configure the button
and its associated URL.
Android Password Policy and Control Encryption
Require encryption on device Prompts the user to enable encryption of application data on
Android devices (if encryption is disabled). If a passcode is not
defined on the device, PasswordNotSufficient is written to the
Enterprise log, and the user is not prompted to enable encryption.
Require passcode on device Prompts the user to set a passcode on Android devices.
Auto-lock Locks the device after the selected number of minutes (1 to 5) of
inactivity. Select — to disable the feature.
Maximum number of failed
attempts
Erases all data on the device after the selected number of login
attempts fails (4 to 16). Select — to disable the feature.
Allow simple value Allows a passcode with repeated, ascending, or descending
characters.
Require alphanumeric value Requires the passcode to have at least one letter.
Minimum passcode length Requires the passcode to have the selected number of characters
(1 to 16)
Minimum number of complex
characters
Requires a passcode to have the selected number of special
characters
(1 to 4), such as @ and &. Select — to disable the requirement.
Passcode history Requires the specified number of unique passcodes (1 to 50)
before a passcode can be repeated. Enter a zero to disable the
requirement.
Maximum passcode age Prompts the user to change the passcode after the selected
number of days (1 to 730). Enter a zero to disable the prompt.
Setting Description
50 Modifying Device Settings Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Devices
Antivirus Settings
Disable Handset Modifications Prevents users from changing the antivirus settings on non-iOS
devices, and the commands to enable or disable file scanning are
not persistent. During periodic synchronizations with the gateway,
the gateway settings override the settings on the device. Clear the
check box to allow the device settings to override the gateway
settings during each synchronization.
Scan Memory Card Enables periodic scans of the secure digital (SD) memory card on
non-iOS devices.
Scan Files Enables periodic scans of the files on non-iOS devices.
Scan Inside Archives Enables recursive scanning of archive files that are contained within
other archive files (Android devices only). The supported archive
files are .zip, .gzip, and .jar.
Optimize Media Scanning Enables media files larger than 1 MB to be skipped if the file has not
changed since the previous scan (Android devices only). A file is
skipped if the MD5 checksum has not changed. The supported
media files are .gpp, .m4a, .mov, .mpg, .mp3, .mp4, .wav, .bmp, .gif, .jpg, .png, and .tif/.tiff.
Firewall Settings (Win Mobile and Symbian only)
Active Displays the firewall application on Symbian and Windows Mobile
devices. Clear the check box to hide the application.
Disable Handset Modifications Prevents users from changing the firewall settings on the device.
Clear the check box to allow the device settings to override the
gateway settings during the periodic synchronizations with the
gateway.
Security Level Choose one of the following:
Disable—Disables the firewall component.
Allow—Permits all traffic that is not specifically blocked in the
firewall profile rules.
Block—Blocks all traffic that is not specifically allowed in the
firewall profile rules.
Profile Set of firewall rules that are applied to devices when they are
registered. Use the list box to select a firewall profile. If you have not
yet defined profiles, you can edit this setting later. You can also
apply profiles to individual devices.
Antispam Settings (Win Mobile and Symbian only)
Active Displays the antispam application on Symbian and Windows
Mobile devices. Clear the check box to hide the application.
Disable Handset Modifications Prevents users from changing the antispam settings on the device.
Clear the check box to allow the device settings to override the
gateway settings during the periodic synchronizations with the
gateway.
Block Short Codes Blocks SMS messages to or from short codes. Short codes are five-
or six-digit SMS codes that serve as short phone numbers and are
often used by premium SMS services. SMS messages from short
codes are more likely to be spam than messages from regular
phone numbers. Outgoing SMS messages to short codes can incur
phone charges. Short codes are also used for instant messaging
(IM) services. Blocking short codes increases security but also
limits service to the client.
Setting Description
Copyright © 2012, Juniper Networks, Inc. Modifying Device Settings 51
Profile Set of antispam rules that are applied to devices when they are
registered. If you have not yet defined profiles, you can edit this
setting later. You can also apply profiles to individual devices.
Monitor and Control Settings
Log Event Limit Number of events that are logged on non-iOS devices before they
are uploaded to the server. An event is an instance of any logged
item (e-mail, SMS or MMS message, phone call, or image). Higher
values delay server updates, but minimize SMS charges and
conserve battery life. Select off to disable uploads based on the
number of events.
Note: Device logs are uploaded to the gateway over HTTPS, not
SMS.
Log Size Limit Maximum amount of file space used for the event log on non-iOS
devices (100K is recommended). The log can exceed this value, but
if the log becomes full, an attempt to upload the log occurs after
each event. Select off to disable uploads based on the log size. If
both the Log Event and Log Size limits are off, uploads occur only
when requested from the management Console or user Dashboard.
Log Email Saves all e-mails in the log (not supported on Android and iOS
devices).
Log SMS Saves all SMS messages in the log on non-iOS devices.
Log MMS Saves the text portion of all MMS messages in the log on
Blackberry and Symbian. Graphics are included only if they are
saved on the device and the Log Images option is selected.
Log Voice Saves a record of each phone call in the log on non-iOS devices,
including date, time, and remote phone number.
Disable Voice Disables the ability to make phone calls (not supported on
Blackberry and iOS devices).
Log Images Saves images in the log that are loaded on non-iOS devices.
Log Web Images Saves images in the log that are accessed with the device Web
browser (not supported on Android and iOS devices).
GPS Update Period Select how often a device reports its GPS location to the gateway,
or select Disable Updates to disable GPS reporting. For iOS devices
(iPhones and iPads with 3G support), this setting overrides the iOS
profile, unless Profile Setting is selected. The device’s last reported
location can be viewed on the GPS Tracking Report (see “Tracking
Devices with GPS” on page 60).
SIM Change
Lock on SIM Change Locks a non-iOS handset if the SIM card is changed after the device
is registered. Changing the SIM card changes the phone number,
and disables communication with the gateway. This feature helps
protect personal data if the phone is lost or stolen. Logging in with
the user’s registration password unlocks the device and updates
the phone number on the gateway.
NOTE: Note: For a device registered automatically, the user must replace the SIM to unlock the device. Also, locking the device does not disable active background applications, such as a phone call or the music player.
Setting Description
52 Modifying Device Settings Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Devices
Applying iOS Profiles to Devices
In addition to the default iOS profile that is applied to iOS devices during registration,
you can define additional profiles and apply them to iOS devices at any time. An iOS
profile can be applied to multiple devices or customized for a single device. When a
profile is applied to one or more devices, each device is sent the InstallProfile command,
which prompts the device to download the profile.
To apply an iOS profile to iOS devices:
1. Select the Enterprise in the navigation panel.
2. Select the Devices tab.
3. To limit the device list to iOS devices, select Device OS from the Filter by menu,
select iOS, and click Search. To remove the filter, click the Devices tab.
4. In the Devices list, select the check box next to the iOS devices where you want to
apply the profile, and click Apply iOS Profile. An error occurs if any non-iOS devices
are selected.
5. In the displayed list of iOS profiles, select the profile that you want to apply to the
selected devices, and click Apply. To find a specific profile, begin typing part of the
profile name or description in the Search text box.
After you apply a profile, the Last Sync date on the Devices page is updated when the
profile is loaded on the device. You can also use the Command History report to verify
that the command was acknowledged and processed (see “Viewing Reports” on
page 57).
Wipe on SIM Change Wipes the user data from a non-iOS handset if the SIM card is
changed after the device is registered (Lock on SIM Change must
be enabled). The data erased depends on the device type (see
Table 3, “Personal Data Erased by Handset Wipe Command” on
page 64). Note the following:
On Android 2.2 (or later) devices that have the Device
Administrator function enabled, the device is not locked, but a
factory reset occurs that removes all applications installed by
the user, including Junos Pulse. If the Device Administrator is
disabled, the device is locked, and GPS Theft Mode, Monitor &
Control logging is enabled.
On Android 2.1 devices, the device is locked, and GPS Theft
Mode, Monitor & Control logging is enabled, but the device is
wiped only if the SIM is replaced (not just removed). The
contacts and history are wiped, but not the SD memory card.
Setting Description
Copyright © 2012, Juniper Networks, Inc. Applying iOS Profiles to Devices 53
Sending Device Commands
After you update a device’s settings on the gateway, you can send an Update Profile
command that prompts the device to get the latest settings from the gateway. You can
also send commands to enable or disable features, initiate a virus scan, or back up a
device’s contacts and calendar information on the gateway. Some commands are sent
only by the system or as a result of other actions by the administrator.
Customer service personnel typically execute just a few of these commands to resolve
customer issues. The Update Profile command will likely be that most commonly used,
following any modifications to the device settings. Users might also need assistance to
unlock their handset or enable or disable GPS location services on their device.
Commands are sent to iOS devices using APNS and to non-iOS devices using SMS.
Optionally, C2DM can be used for Android devices. Each command is encrypted,
device-specific, and sent only once. After a command is sent, use the Command History
report to verify that the command was acknowledged and processed (see “Viewing
Reports” on page 57).
Informational Note: Command delivery may take several minutes and, while highly
reliable, is not guaranteed. Also, device commands cannot be sent over Wi-Fi or to
non-iOS devices that do not support SMS (such as some non-iOS tablets).
To send commands to devices:
1. Select the Enterprise in the navigation panel.
2. Select the Devices tab to send commands to devices or device groups, or click the
Users tab to send commands to the devices registered to specific users or user
groups.
3. Select the individual devices (or users) where you want to send commands, or click
Device Groups or User Groups and select one or more groups.
4. Click Send Commands, select the commands you want to send, and click Send.
Table 1 on page 54 describes the commands that you can select, plus other
commands that are the result of other actions. If you select an iOS device, only the
universal commands are displayed. If you select only non-iOS devices, all the
universal and non-iOS commands are available.
Informational Note: The name shown in parentheses for each universal command is
the name displayed on the Command History report for iOS devices. For example, on
the Command History report, the Update Profile command is shown as InstallProfile for
iOS devices, and Update Profile for all other device types.
Table 1: Device Commands
Command Description
Universal Commands
Update Profile
(InstallProfile)
Updates all the settings on the device.
Send App Log
(InstalledApplicationList)
Retrieves a log of the applications installed on the device. To view the
retrieved log, click the Apps button for the device on the Monitor and Control
report (see “Viewing the Applications, Contacts, Pictures, and Messages on
Managed Devices” on page 60). This command is also sent if you click
Retrieve List in the list of applications on the report.
54 Sending Device Commands Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Devices
Handset Wipe
(EraseDevice)
Erases personal data from each device, depending on the device type (see
Table 3, “Personal Data Erased by Handset Wipe Command” on page 64).
Note the following:
For iOS devices and Android 2.2 (or later) devices that have the Device
Administrator function enabled, a factory reset occurs that removes all
applications installed by the user, including Junos Pulse. This command
has no effect on Android devices that have the Device Administrator
disabled.
On Android 2.1 devices the SD memory card is not erased.
On iPhones prior to the iPhone 4, it can take approximately one hour to
wipe each 8 GB on the device.
Handset Lock
(DeviceLock)
Locks a device to prevent a lost or stolen device from being used. For Android
and Blackberry devices, you can specify a passcode and select the check box
to email the passcode to the user.
Note the following:
For Android devices, if the Device Administrator is enabled and a passcode
is defined on the device, the existing passcode is used to lock the device,
and the passcode in the command is ignored.
If the Device Administrator is disabled or a passcode is not defined on the
device, the device is not locked unless the command includes a passcode.
For Blackberry devices, if the command is sent without a passcode, the
device is locked with the passcode entered during manual registration. For
devices registered automatically, a passcode is generated on the device.
A locked device can be unlocked by sending a Handset Unlock command.
Android and Blackberry devices also can be unlocked by entering the
passcode on the device. For iOS devices that do not have a passcode, a
swipe gesture will unlock the device.
NOTE: Locking the device does not disable active background applications, such as a phone call or the music player.
Handset Unlock
(ClearPasscode)
Unlocks a locked device or clears the passcode on iOS devices so that users
can enter a new password to unlock the device. For Android and Blackberry
devices, you can specify a blank passcode to unlock the device or specify a
new passcode and select the check box to email the new passcode to the
user. The user must enter the new passcode to unlock the device.
NOTE: For Android devices, if the Device Administrator is enabled and a passcode is defined on the device, the new passcode replaces the existing one only if it satisfies the device passcode policy. A blank passcode unlocks the device only if the device allows an empty passcode and encryption is not enabled.
Non-iOS Commands
Scan Handset Scans the device’s file system for viruses.
Scan Card Scans the device’s secure digital (SD) memory card for viruses.
Update Virus Definitions Sends the latest virus definitions to each device.
Handset Backup Backs up the device’s contact list and calendar on the gateway.
Handset GPS Location Sends the current GPS location of each device to the gateway.
Alarm On
Alarm Off
Turns the device alarm on or off. The alarm is used to help locate a lost
device.
GPS Theft On
GPS Theft Off
The GPS Theft On command enables GPS on the device (if it is disabled)
and sends GPS updates to the server every 2 or 3 minutes. The GPS Theft Off
command restores GPS updates to the frequency specified by GPS Update
Period setting for the device.
Restore Personal Data Restores the device’s contact list and calendar from the last backup.
Command Description
Copyright © 2012, Juniper Networks, Inc. Sending Device Commands 55
Backing Up and Restoring Personal Data
The personal contact list and calendar on non-iOS devices can be backed up and
restored by an Enterprise administrator and some device users. Users can initiate a
backup from the Pulse client on the device. If the Enterprise allows access to the
gateway Dashboard, users can log in to the Dashboard using their registration e-mail
address and password and restore their last backup.
For users who do not have access to the Dashboard or who register without entering an
e-mail address and password, the administrator can perform the restore or provide a
login account for the Dashboard.
The restore process does not overwrite anything. To avoid creating duplicate entries on
a device, the administrator or Dashboard user may want to issue a Handset Wipe
command before doing the restore (see “Sending Device Commands” on page 54).
Managing Device Groups
Device groups let you send commands to the devices in one or more groups and view
reports for the devices in a specific group.
To create a new device group:
1. Select the Enterprise in the navigation panel.
2. Select the Devices tab.
3. Click Device Groups.
4. Click Add Device Group to open the Group dialog box.
5. Specify the following group properties and then click Save to save your changes.
Group Name
Notes
To add devices to a group:
1. Select the Enterprise in the navigation panel.
2. Select the Devices tab.
3. Selecting the check box for each device you want to add to a device group.
4. Click Move To to open the Move To dialog box.
5. Select the target device groups, and then click Move.
Other Commands
DeviceInformation
InstallProfile
Commands issued by the system during registration of iOS devices.
RemoveProfile Issued when the blank profile is selected for an iOS device (used to delete
the iOS profile so that the device can be reregistered).
Remove Application Issued when an application is removed from a device using the App
Revocation List (see “Removing Applications From Managed Devices” on
page 59).
Send Contact Log
Send RealTime Log
Issued when you click Retrieve List in the contact or messages log for a
device on the Monitor and Control report (see “Viewing the Applications,
Contacts, Pictures, and Messages on Managed Devices” on page 60).
Command Description
56 Backing Up and Restoring Personal Data Copyright © 2012, Juniper Networks, Inc.
Chapter 6
Reports
This chapter describes how to use the reporting features. Generally, these reports are
used only by administrators, but customer service personnel may use them occasionally
to resolve customer issues.
“Viewing Reports” on page 57
“Removing Applications From Managed Devices” on page 59
“Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices” on
page 60
“Tracking Devices with GPS” on page 60
“Viewing the Gateway and Change History Logs” on page 61
Viewing Reports
The reports provided with the Pulse Mobile Security Suite let you view lists of the
registered devices, discovered viruses or malware, and the date and time of the last
updates to the device settings. You can also view the monitored content for each device,
remove applications from selected devices, map the location of a lost device, and verify
the execution of device commands.
To view reports:
1. In the navigation panel, select the Root, a Partner, an Enterprise, or a device group,
and then select the Reporting tab.
2. Click the name of the report you want to view.
Report Name Description
Summary Displays a pie chart of the types of discovered viruses, a bar chart of
device registrations, and the last 10 discovered viruses and registered
devices.
Virus Discovery Alerts Lists the viruses found on devices. The report lists the Virus Name,
Device Firmware, Virus Filename, Handset Identification (IMEI, IMSI,
MSISD), and the date discovered.
Profile Update Report Lists the date and time of each device update and indicates whether
the entire device profile was updated (Yes or No). A No indicates
something more specific was updated, such as the virus definitions.
Registration Report Lists the database registration information for each device, including
the IMEI, IMSI, DID, MSISD, ESN, and Created Date.
Software Update Report Lists the software updates that were pushed to devices by the Pulse
Mobile Security Gateway. The reports lists the Build, New Version, Old
Version, Handset Identification, and Date for every update transaction.
Copyright © 2012, Juniper Networks, Inc. Viewing Reports 57
Monitor and Control Report Lists the devices that have sent log updates to the gateway for the
types of data the device is monitoring (e-mail, SMS and MMS
messages, and pictures). You can view the logs of monitored data, as
well as the contacts and applications on each device (see “Viewing
the Applications, Contacts, Pictures, and Messages on Managed
Devices” on page 60).
App Revocation Report Lists the applications that were removed from devices by an
administrator. The report lists the Application Name, Status of
removal, Handset Identification, and Date processed.
App Revocation List Lists the applications installed on the managed devices. You can use
the list to remove applications from devices that support this feature
(see “Removing Applications From Managed Devices” on page 59).
GPS Tracking Report Lists the last reported location in the Global Positioning System for all
devices that have a GPS Update period specified or have received the
GPS Theft On command. The report includes the Handset
Identification, GPS Type, Latitude, Longitude, and the last Captured
Date/Time. Click the icon in the Map It column to view the last device
location (see “Tracking Devices with GPS” on page 60).
Command History Lists the commands issued to devices from the Pulse Mobile Security
Gateway. The most recent commands are listed first. The following
fields indicate whether the command was processed successfully:
Status—For non-iOS devices, indicates whether the SMS message
was delivered to the device (PROCESSED or FAILED). The FAILED
status can occur if the device is turned off or the phone number is
incorrect (such as when the country code is missing), or the SMS
aggregator is down or not configured correctly for the Enterprise.
For iOS devices, the status can be one of the following:
− i_Created-The command was created.
− i_Pushed-The command was sent to Apple's APNS server.
− i_Pulled-The device is obtaining the command from the gateway.
− i_NotNow-The device received the command but cannot
respond immediately. The device will respond when the
command is executed.
− i_Executed-The device executed the command successfully.
− i_Error-The command cannot be executed (the Ack Reason field
may have more information).
− i_FormatError-The command has a protocol-level error.
− i_EmptyProfile-A profile with only the general and GPS settings
is being loaded on the device.
Ack Status—For non-iOS devices, indicates whether the device
executed the command successfully (true or false). A false status
can occur if the device does not support the command. For iOS
devices, this field is blank.
Ack Reason—May provide more information when then the Status
field is i_Error or the Ack Status field is false. This field can also
indicate when a Handset Wipe command is complete, and the
number of viruses found by a Scan Handset command.
Report Name Description
58 Viewing Reports Copyright © 2012, Juniper Networks, Inc.
Chapter 6: Reports
Removing Applications From Managed Devices
You can view the applications that reside on managed devices and remove applications
from selected devices (currently supported only on some Android devices). Deleting an
application sends a Remove Application command to each device.
Informational Note: Users are not notified when an application is removed from their
device, and are not prevented from reinstalling the application.
To view and remove device applications:
1. In the navigation panel, select the Root, a Partner, an Enterprise, or a device group,
and then select the Reporting tab.
2. Click App Revocation List to display a list of all of the applications that reside on
the managed devices.
The applications list is retrieved when the device is registered. To update the list,
issue the Send App Log command to the device. Alternatively, you can select the
Monitor and Control Report, click Apps to view the applications on a specific
device, and then click Retrieve List to update the list.
Because of differences in how different devices handle applications, the list might
not show every application on the device.
3. To filter the revocation list by application name, click Add Filter, specify the filter
criteria, and click Run Report.
Android Malware Lists the malware, suspicious, and prohibited applications detected
on Android devices, depending on the selection in the View
Detections By menu:
Device—Lists the device ID and user name for each device that has
installed, removed, or allowed one or more malware, suspicious, or
prohibited applications, and the number of each (only suspicious
applications can be allowed). Select a device to view the package
name, application name, detection date, and status (installed,
removed, or allowed) of each application detected on the device.
The detection date is the date of the scan.
Any Type—Lists the package and application name of each
malware, suspicious, or prohibited application detected on one or
more Android devices, and the number of devices where the
application has been installed, removed, or allowed. Select an
application to view the user name, detection date, and status for
each device that where the application was detected.
Malware—Lists the malware applications detected, and the
number of devices where each application has been installed or
removed.
Prohibited—Lists the prohibited applications detected, and the
number of devices where the application has been installed or
removed.
Suspicious—Lists the suspicious applications detected, and the
number of devices where the application has been installed,
removed, or allowed.
To find all devices, users, or applications that include some specific
text in the name, enter the text in the box next to the Search button,
and click Search.
Report Name Description
Copyright © 2012, Juniper Networks, Inc. Removing Applications From Managed Devices 59
4. Click an application to display a list of devices where that application is installed.
5. To remove the application from all devices, click Remove Apps in All Devices. To
remove the application from specific devices, select the check boxes for the
appropriate devices, and click Remove Apps for Selected Devices.
Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices
You can view logs of the applications, contacts, pictures, and messages that reside on
managed devices (iOS devices provide only the application log). The inventory of these
items is created on-request to create a real-time view of the device content. The
content of the message log depends on the device log settings for e-mail, phone calls,
MMS, and SMS messages.
Informational Note: The Contact Log on the gateway is cumulative, so that it retains
entries that have been deleted from the device.
To view applications contacts, pictures, and messages that reside on managed devices:
1. In the navigation panel, select the Root, a Partner, an Enterprise, or a device group,
and then select the Reporting tab.
2. Click Monitor and Control Report. The report lists each device, and each device
record includes a set of buttons that let you view the applications, contacts,
pictures, and messages on the device.
3. Click a button in a device record to display the items that reside on the device
according to the last log update.
4. Click Retrieve List to retrieve the most recent data from the device. The retrieval
may take a few minutes.
Tracking Devices with GPS
Mobile devices that support the Global Positioning System (GPS) can report their
location to the Pulse Mobile Security Gateway, and the location can be displayed on a
map. GPS data is reported by all devices that have a GPS Update period specified or by
non-iOS devices that receive a GPS Theft On command.
To view a device's location:
1. In the navigation panel, select the Root, a Partner, an Enterprise, or a device group,
and then select the Reporting tab.
2. Click GPS Tracking Report. For each device, the report lists the GPS type and the
last reported latitude and longitude. Note that a GPS type of network indicates that
cell-tower triangulation is used to locate the device, which is less accurate (up to a
few hundred feet) than GPS or Assisted GPS.
3. Click the Map It icon for a device to view the device's location.
Informational Note: The accuracy of location information can be affected by many
environmental factors. Devices that have no location data will report 0.0 as their
location.
60 Viewing the Applications, Contacts, Pictures, and Messages on Managed Devices Copyright © 2012, Juniper Networks, Inc.
Chapter 6: Reports
Viewing the Gateway and Change History Logs
You can view the entries in the gateway log by date and hour, and save the displayed log
entries to a text file. The Change History log records each user action, including the
user's login name, IP address, and the details of the change (if any).
To view the gateway and change history logs:
1. In the navigation panel, select the Root or an Enterprise, and then select the Logs
tab.
2. To view the gateway log:
a. Select the date and hour of the log entries you want to view. To display only the
log entries that contain a specific text string, enter the text in the Keyword field.
b. Click Search to display the matching log entries. The most recent entries are
listed first.
c. To save the displayed log entries to a text file, click Download.
3. To view the Change History log, click Change History. The most recent entries are
listed last.
Copyright © 2012, Juniper Networks, Inc. Viewing the Gateway and Change History Logs 61
62 Viewing the Gateway and Change History Logs Copyright © 2012, Juniper Networks, Inc.
Appendix A
Summary of Supported Features
This appendix provides a summary of the available features for each type of device.
Each deployment can be customized to include or exclude specific features.
Pulse Mobile Security Features by Device Type
Table 2 indicates the Pulse Mobile Security features supported by each type of device.
Table 3 indicates the data erased for each device by the Handset Wipe command.
Table 2: Feature Support by Device Type
Feature Android Blackberry iOS Symbian
Windows
Mobile
Alarm On/Off
Antispam
Antivirus
Application Inventory
Application Removal
Automatic Registration
Backup/Restore Contacts &
Calendar
Contacts Log
Control Device Encryption
Control SD Card Encryption Samsung
Dashboard Web Portal
Device Identity Servers
Disable Voice
Enterprise VPN support IPsec to SRX
Exchange provisioning
Firewall
GPS Location/Tracking
GPS Theft On/Off
Images Log
Lock/Unlock Handset
Lock on SIM Change
Log Event/Size Limits
Log E-Mail
Log Images
Log MMS Messages
Copyright © 2012, Juniper Networks, Inc. Pulse Mobile Security Features by Device Type 63
Table 3: Personal Data Erased by Handset Wipe Command
Log SMS Messages
Log Web Images
Malware Scan Interval
Monitor and Control Report
Passcode Requirements
Policy Based Client UI
Prohibited Applications
Restrictions on device usage
Scan Card
Scan Handset
Service Bundles
SCEP server support
Update Profile
Update Virus Definitions
Voice Log
VPN provisioning
VPN strong authentication
(PKI or 2FA)
Wi-Fi provisioning
Wipe Handset
Wipe on SIM Change
Personal Data Android Blackberry iOS Symbian
Windows
Mobile
Appointments
Calendar Memos N/A N/A
Calendar ToDos N/A
Call History
Contacts
E-mail Boxes
Memory Card N/A
Notes N/A
SMS and MMS SMS Both Both SMS
Tasks N/A
Feature Android Blackberry iOS Symbian
Windows
Mobile
64 Pulse Mobile Security Features by Device Type Copyright © 2012, Juniper Networks, Inc.
Index
AActiveSync Exchange settings for iOS profiles . . . . . . . . . . . .29Admin menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6administrator accounts, adding . . . . . . . . . . . . . . . . . . . . . .15aggregator settings, SMS . . . . . . . . . . . . . . . . . . . . . . . . . . .9Android Malware Report . . . . . . . . . . . . . . . . . . . . . . . . . . .59Android malware scanning interval . . . . . . . . . . . . . . . . .9, 48Anti Theft buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . .11, 50antispam
rules and profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13, 51
antivirus
device update schedule (non-iOS). . . . . . . . . . . . . . . . . .48reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12, 51signature updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Update Virus Definitions command . . . . . . . . . . . . . . . . .55
APNS certificate, generating and uploading . . . . . . . . . . . . .12App Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . .58, 59App Revocation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . .58applications
prohibiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27removing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
archives, scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . .13, 51authentication settings for iOS profiles
SCEP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
automatic registration . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
B
backup and restore of personal data . . . . . . . . . . . . . . . . . .56Backup command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
C
C2DM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Change History Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61check-in period for iOS devices . . . . . . . . . . . . . . . . . . . . . .11ClearPasscode command . . . . . . . . . . . . . . . . . . . . . . . . . .55Command History Report . . . . . . . . . . . . . . . . . . . . . . . . . .58commands, sending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54connectivity settings for iOS profiles. . . . . . . . . . . . . . . . . . .33
Consumer license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8contacts, viewing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Control Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 24cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5CSR for APNS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 12customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
D
default iOS profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35device groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56device identity servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19DeviceInformation command . . . . . . . . . . . . . . . . . . . . . . . 56DeviceLock command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55devices
adding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46applying iOS profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 53modifying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46registering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18sending commands to . . . . . . . . . . . . . . . . . . . . . . . . . . 54viewing monitored data . . . . . . . . . . . . . . . . . . . . . . . . . 60
E
encryption of application data
on Android devices. . . . . . . . . . . . . . . . . . . . . . . . . . 11, 50on iOS devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Enterprises
adding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9moving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
EraseDevice command . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Exchange settings for iOS profiles . . . . . . . . . . . . . . . . . . . . 29expiration date, license. . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
F
features by device type . . . . . . . . . . . . . . . . . . . . . . . . . . . 63firewall
rules and profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 51
G
GPS Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55GPS Theft commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55GPS Tracking Report . . . . . . . . . . . . . . . . . . . . . . . . . . 58, 60
Copyright © 2012, Juniper Networks, Inc. Index 65
66 Ind
GPS Update Period . . . . . . . . . . . . . . . . . . . . . . . . 14, 35, 52
H
Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
I
InstalledApplicationList command . . . . . . . . . . . . . . . . . . . 54InstallProfile command . . . . . . . . . . . . . . . . . . . . . . . . 54, 56iOS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54iOS profiles
adding and editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28applying to devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53deleting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35setting the default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47setting the default profile . . . . . . . . . . . . . . . . . . . . . . . . 11
J
JavaScript. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5JTAC, opening a case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
L
license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Lock and Wipe commands. . . . . . . . . . . . . . . . . . . . . . . . . 55logs
monitoring device . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 52system severity level . . . . . . . . . . . . . . . . . . . . . . . . . . . 21viewing gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
M
malware scanning interval, Android . . . . . . . . . . . . . . . . 9, 48Malware Signature Update servers . . . . . . . . . . . . . . . . 22, 24malware signature updates . . . . . . . . . . . . . . . . . . . . . . . . 22management interface, using . . . . . . . . . . . . . . . . . . . . . . . . 5manual registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18media files, scanning . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 51memory card
scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 51messages, viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Mobile Threat Center (MTC). . . . . . . . . . . . . . . . . . . . . . . . 22monitor and control
report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, 52
N
navigation panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
O
opening a case with JTAC. . . . . . . . . . . . . . . . . . . . . . . . . . . vi
P
partners, adding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7passcode requirements for iOS profiles . . . . . . . . . . . . . . . . 30password
changing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42default. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
pictures, viewing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Profile Update Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57profiles
antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
prohibited applications . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
R
registering devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Registration Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57registration status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Remove Application command . . . . . . . . . . . . . . . . . . . . . .56RemoveProfile command . . . . . . . . . . . . . . . . . . . . . . . . . .47reports
Android Malware Report . . . . . . . . . . . . . . . . . . . . . . . . .59App Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . . .58App Revocation Report . . . . . . . . . . . . . . . . . . . . . . . . . .58Command History Report . . . . . . . . . . . . . . . . . . . . . . . .58GPS Tracking Report. . . . . . . . . . . . . . . . . . . . . . . . . . . .58Monitor and Control Report . . . . . . . . . . . . . . . . . . . . . . .58Profile Update Report . . . . . . . . . . . . . . . . . . . . . . . . . . .57Registration Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Software Update Report . . . . . . . . . . . . . . . . . . . . . . . . .57Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Virus Discovery Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Restore command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55restrictions for iOS profiles . . . . . . . . . . . . . . . . . . . . . . . . .30roles
adding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15assigning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
rules
antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
S
scan commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55scanning interval, Android malware . . . . . . . . . . . . . . . . .9, 48scanning options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13, 51SCEP settings for iOS profiles . . . . . . . . . . . . . . . . . . . . . . .33Send App Log command. . . . . . . . . . . . . . . . . . . . . . . . . . .54Send Contact Log command . . . . . . . . . . . . . . . . . . . . . . . .56Send RealTime Log command. . . . . . . . . . . . . . . . . . . . . . .56service bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10, 49severity level, system log . . . . . . . . . . . . . . . . . . . . . . . . . . .21short codes, blocking . . . . . . . . . . . . . . . . . . . . . . . . . .13, 51Signature Update servers . . . . . . . . . . . . . . . . . . . . . . .22, 24signature updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
ex Copyright © 2012, Juniper Networks, Inc.
Index
SIM change, lock or wipe on . . . . . . . . . . . . . . . . . . . . .14, 52SMS aggregator settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Software Download URL. . . . . . . . . . . . . . . . . . . . . . . . .9, 46Software Update Report . . . . . . . . . . . . . . . . . . . . . . . . . . .57status, registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57synchronization schedule . . . . . . . . . . . . . . . . . . . . . . . . . .48system log severity level . . . . . . . . . . . . . . . . . . . . . . . . . . .21
T
technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vtracking devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
U
UI Button Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10, 49UI Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10, 48universal commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54Unlock command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55Update Profile command . . . . . . . . . . . . . . . . . . . . . . . . . .54update schedule
for GPS location . . . . . . . . . . . . . . . . . . . . . . . . .14, 35, 52for iOS devices (check-in) . . . . . . . . . . . . . . . . . . . . . . . .11for non-iOS devices . . . . . . . . . . . . . . . . . . . . . . . . . .9, 48
user accounts, adding . . . . . . . . . . . . . . . . . . . . . . . . . .17, 41user control lists, assigning . . . . . . . . . . . . . . . . . . . . . . . . .17user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43UUID
for devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47for Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
V
virus definition list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Virus Discovery Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57voice log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14, 52VPN settings for iOS profiles . . . . . . . . . . . . . . . . . . . . . . . .32
W
Wi-Fi settings for iOS profiles. . . . . . . . . . . . . . . . . . . . . . . .33Wipe command, data erased by . . . . . . . . . . . . . . . . . . . . .64
Copyright © 2012, Juniper Networks, Inc. Index 67
68 Ind
ex Copyright © 2012, Juniper Networks, Inc.