Ai rWa Ai Watt c h R e co m m e n d e d Configuration Guide Effective: March 1st, 2016
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 1
Contents 1. Introduction ............................ ............................................................ ................................................................ ................................................... ................... 4 2. AirWatch Foundational Elements ................................ ................................................................ .............................................. .............. 5 2.1 2.2 2.3 2.4 2.5 2.6
Defining Organiz Organization ation Groups....................... ................................................. ................................................... ................................................... ............................ .. 5 User Groups/Smart Groups ....................................................... ................................................................................. .................................................. ........................ 6 Managing Managin g Administ Administrators rators and Role-Base Role-Based d Access ......................... .................................................. ............................................. .................... 7 Enabling the Self Service Portal ......................................................... .................................................................................. ......................................... ................ 7 Managing Managin g User Roles ..................................................................... .............................................................................................. ............................................. .................... 8 Device Devic e Lifecycle Notifications ............................................................. ...................................................................................... ......................................... ................ 8
3. Identity and Access Management Management ............................................... .............................. 9 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8
VMware Identity Manager ......................... .................................................. .................................................. ................................................... ................................. ....... 9 MDM vs. Containe Containerr Enrollmen Enrollmentt ...................................... ............................................................... .................................................. ..................................... ............ 9 Enrollment Authen Authentication tication ..................................... .............................................................. ................................................... ............................................ .................. 11 Apple Device Enrollment Program (DEP) .............................. ........................................................ .................................................... .......................... 11 Android for Work ......................... ................................................... .................................................... .................................................... ........................................... ................. 12 AutoDiscovery AutoDis covery......................... ................................................... .................................................... .................................................... ............................................... ..................... 12 Terms of Use Policy ........................ .................................................. .................................................... .................................................... ....................................... ............. 13 Enrollment Restricti Restrictions ons ......................................... ................................................................... ................................................... ........................................... .................. 14
4. MDM Setup and Policies ............................. ............................................................. ............................................................ ............................ 15 4.1 4.2 4.3 4.4 4.5 4.6
AirWatch Profiles .................................................................... ............................................................................................. ................................................... .......................... 15 Passcode Passcod e Profiles ..................................... .............................................................. .................................................. ................................................... ............................... ..... 15 Restriction Restric tion Profiles ...................... ................................................ .................................................... .................................................... ........................................... ................. 16 Enforcing Enforcin g Device Compliance ....................... ................................................. ................................................... ................................................... .......................... 16 Privacy Policy ......................... ................................................... .................................................... .................................................... ............................................... ..................... 18 Privacy First ................................................................... ............................................................................................ .................................................. ................................... .......... 18
5. MAM Setup and Policies ............................. ............................................................. ............................................................ ............................ 19 5.1 Deploy Deploying ing and Managing Applications ...................... ................................................ .................................................... ....................................... ............. 19 5.2 Deploy Deploying ing the Enterpri Enterprise se App Catalog ........................... .................................................... ................................................... ................................... ......... 20 5.3 Deploying Applications using Apple Volume Purchase Program (VPP)................. (VPP)......... ................ ................ ............ .... 20
6. AirWatch Application Security Settings and Policies ............................................... 22 6.1 Authenti Authentication cation ................................................... ............................................................................. .................................................... ............................................... ..................... 22 6.2 Single Sign On ........................ .................................................. .................................................... .................................................... ............................................... ..................... 22 AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 2
6.3 6.4 6.5 6.6 6.7 6.8
Integrated Authentic Integrated Authentication ation ...................................... ............................................................... ................................................... ............................................ .................. 23 Offline Access ......................... ................................................... .................................................... .................................................... ............................................... ..................... 23 Compromised Compromis ed Protec Protection tion ..................... ............................................... ................................................... ................................................... ................................... ......... 23 AirWatch App Tunnel ...................... ................................................ .................................................... .................................................... ....................................... ............. 23 Data Loss Prevent Prevention ion...................... ................................................ .................................................... .................................................... ....................................... ............. 24 Network Netwo rk Access Control....................... ................................................. ................................................... ................................................... ................................... ......... 24
7. MEM Setup and Policies ............................. ............................................................. ............................................................ ............................ 25 7.1 7.2 7.3 7.4 7.5
Deploying Corporate Email ............................................ Deploying ..................................................................... .................................................. ................................... .......... 25 Email Notificati Notification on Service ..................................... .............................................................. ................................................... ............................................ .................. 26 Protecting Protectin g Your Email Infrastructure .................................. ........................................................... ................................................... ............................... ..... 26 Enforcing Enforcin g Email Access Control ........................ .................................................. ................................................... ............................................... ...................... 28 Protecting Protectin g Email Attachme Attachments nts & Hyperli Hyperlinks nks ....................... ................................................ ................................................... ............................... ..... 28
8. MCM Setup and Policies ............................. ............................................................. ............................................................ ............................ 30 8.1 8.2 8.3 8.4 8.5
AirWatch Content Locker ..................... ............................................... ................................................... ................................................... ................................... ......... 30 Integrating Integrat ing with Content Reposit Repositories ories ..................................... .............................................................. ................................................... .......................... 30 Configuring Config uring AirWatch Browse Browserr Settings ......................... .................................................. ................................................... ................................... ......... 31 Contentt Locker Collaborate ........................................... Conten .................................................................... .................................................. ................................... .......... 31 Personal Conten Contentt ........................................................... .................................................................................... ................................................... ................................... ......... 31
9. Device Specific Recommendations ............................. ............................................................. ............................................ ............ 33 9.1 iOS Recommen Recommendations dations ........................ .................................................. ................................................... ................................................... ................................... ......... 33 9.2 Android Recomme Recommendations ndations....................... ................................................ .................................................. ................................................... ............................... ..... 33 9.3 Mac OS X Recommen Recommendations dations....................... ................................................. ................................................... ................................................... .......................... 33
Appendix 1: 1: Corporate Sample Terms Terms of Use ............................ ............................................................ .................................. 35
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 3
1. Introduction The AirWatch Admin Console provides a centralized solution to view and manage every aspect of your MDM deployment. Quickly and easily add new devices and users to your fleet, manage profiles and configure system settings all within a single, web-based resource. The configuration guide for Bundled Customers provides a walkthrough and worksheet for completing the core functionality that should be considered prior to deploying your devices. This guide will cover the following areas:
AirWatch Console Setup
Enrollment Options and Settings
Security Setup
MDM Settings and Policies
MEM Setup and Policies
MAM Setup and Policies
MCM Setup and Policies
Additional Setup Options
All recommendations in this guide are given for a typical corporate deployment. If you do not fall into this category or have concerns about a specific setup option, please first consult with your Deployments Engineer.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 4
2. AirWatch Foundational Elements 2.1 Defining Organization Groups AirWatch identifies users and establishes permissions using Organization Groups. With Organization Groups, you can establish an MDM hierarchy identical to your organization's internal hierarchy. Alternatively, you may choose to establish Organization Groups depending on features and content that will be accessed from sets of devices. Organization groups allow you to:
Build groups for entities within your organization.
Customize hierarchies with parent and child levels.
Integrate with multiple internal infrastructures at the tier level.
Delegate role-based access and management based on multi-tenant structure.
Recommendations: AirWatch recommends that customers make their organization group structure as flat as possible to minimize unneeded manual administrative tasks when making changes to your deployment. If Administrators for your environment will need access to only specific groups or levels, Organization Groups are the easiest way to achieve this segmentation. Additionally we recommend configuring Organization groups for your Production environment and for Testing purposes. Speak with your consultant for more information on setting this up. Many customers choose to structure their Organization Groups to mirror their existing Active Directory/LDAP Organization Unit structure. A one-to-one relationship is then created between AD Organization Unit and AirWatch Organization Groups. During enrollment, AirWatch will automatically place devices into the corresponding OG based on the user’s Organization Unit settings. Although this structure will work, typically this method is more granular than most customers need in their environment. When enrolling both Corporate and BYOD devices, specific consideration is required to ensure that these devices can be managed in an appropriate manner to ensure both privacy and accurate device configuration. One of the following approaches is typically selected to automate the configuration of these devices: 1. Enable a setting in the AirWatch Console to prompt the user during the enrollment process to select which type of device they are enrolling (Corporate Dedicated or Employee Owned). 2. Set your default ownership type to “Employee Owned” and pre -register all Corporate Owned devices, setting their ownership type to “Corporate Owned”. If you opt to separate your Organization Groups by device ownership type, please be aware of the following drawbacks:
It can be difficult to move devices and users between Organization Groups AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 5
Your entire structure (including profiles, policies and settings) may need to be duplicated
*For non-typical corporate deployment (Education, Retail, etc.), further considerations will need to be made. Please discuss these with your Deployments Engineer.
2.2 User Groups/Smart Groups AirWatch allows you to group sets of users into User Groups, allowing you to further streamline MDM management by leveraging existing LDAP/AD groups. User groups act as filters (in addition to Organization Groups) for assigning MDM Profiles and applications. When configuring your MDM environment, it is a best practice that User Groups be used to define Security Groups and/or Business Roles within your organization. It is also recommended that User Groups/Smart Groups be used to assign Profiles, Compliance Policies, Content, and Applications to users and devices. Recommendations: AirWatch recommends the following best practices for User Groups:
Enable your AD/LDAP to sync automatically with AirWatch to regularly update user and group information Unless you plan on restricting enrollment to only pre-approved users, it is unnecessary to bulk import/sync user groups from your LDAP prior to enrollment o
Users will be created in AirWatch as they enroll
Map User Groups to desired Organization Groups so users are automatically enrolled into the desired OG Assign apps, profiles and compliance policies to different User Groups with the use of Assignment Groups (User Groups, Smart Groups and Organization Groups) Assign content to different users with the use of User Groups
*AirWatch recommends against manually selecting more than 500 devices when setting up smart groups.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 6
2.3 Managing Administrators and Role-Based Access Similar to how AirWatch has user accounts to keep track of users with devices, AirWatch administrator accounts keep track of who has access to the AirWatch Admin Console. As an administrator, you can maintain MDM settings, push or revoke features and content and much more from the centralized AirWatch Admin Console. Although many organizations have multiple administrators of their managed device fleet, each administrator may require different levels of access depending on their specific corporate role. Admin Account roles provide the proper level of access for different administrators. The AirWatch Admin Console allows a quick way to change roles by simply selecting a new role from the Account Role dropdown box within the Account menu in the top-right corner of the Console. For ease of use, there are numerous Default Roles already provided by AirWatch from which you may select. These default roles are available with every AirWatch upgrade and help quickly assign roles to new users. If you require further customization, you have the option to create Custom Roles to further tailor the admin privileges and permissions. Unlike default roles, custom roles require manual updates with every AirWatch upgrade. Recommendations: AirWatch recommends setting up a separate Admin account for each person who will be logging in to the Console. We also recommend the use of Default Roles over Custom Roles to avoid manual updates after upgrades. For On-Premise customers, AirWatch recommends that you maintain a basic administrator account at the Global Organization Group level with System Administrator privileges. Additional basic or directory admin accounts can be configured as needed.
2.4 Enabling the Self Service Portal The AirWatch Self-Service Portal (SSP) is a useful online tool used to remotely monitor and manage devices. It can help reduce the overall "hidden cost" of managing a device fleet. By empowering and educating device users on how to perform basic device management tasks, investigate issues and fix problems, your organization may be able to reduce the number of help desk tickets and support issues. Recommendations: AirWatch recommends the use of the Self Service Portal for most deployments in order to capitalize on the benefits listed above.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 7
2.5 Managing User Roles By defining user roles within the AirWatch Admin Console, you can set who has access to the Self Service Portal (SSP) and what actions logged-in users can perform. Full Access and Basic Access user roles have been added by default, but additional roles can be added for BYOD users. Recommendations: When defining custom user roles, AirWatch strongly recommends duplicating the “Full Access” role and re naming it to “[COMPANY] Full Access”. Then the Administrator can change the end user access for their custom role based on the company’s policies and goals. This custom role sh ould then be set as the default end-user role in the Admin Console.
2.6 Device Lifecycle Notifications Within the AirWatch console, Administrators have the ability to control notifications that are sent when a device successfully enrolls, is un-enrolled, or is blocked by an enrollment restriction. Admins are encouraged to set up these notifications based on their specific needs. Recommendations: For the deployment of corporate owned devices, AirWatch recommends enabling a notification to email the Administrator if a corporate device is unenrolled or a device is blocked by an enrollment restriction.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 8
3. Identity and Access Management 3.1 VMware Identity Manager VMware Identity Manager is a service that extends your on premises directory infrastructure to provide a seamless Single Sign-On (SSO) experience to Web, Mobile, SaaS and Legacy applications that may be consumed as a SaaS service or downloaded and installed on premises. Identity Manager integrates with AirWatch Enterprise Mobility Management to enable industry-first seamless SSO to Native Mobile Apps and comes complete with an Enterprise App Store, SAML identity provider (IDP), application usage analytics, Conditional access policy engine and more.
3.2 MDM vs. Container Enrollment AirWatch offers two distinct approaches to managing and securing devices. Identify the right model for your organization by using the table below. Your choice is not mutually exclusive as different groups of users and different devices can be managed in either way.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 9
Full device security, flexible monitoring, management, and enforcement over the entire lifecycle of a device. Benefits Provides full protection & visibility of all data on device Ease of access directly into both personal and corporate apps Extensive management capabilities including install/remove profiles and apps over-the-air Flexible privacy policy enforcement to restrict IT from intrusive data and capabilities from console Provides integration with Samsung KNOX Offers integration into native email client & device passcodes Still provides all containerization capabilities of Container
Management visibility and enforcement only over the corporate apps and data on the device. Complete containerization of corporate apps and data from personal via the Container application.
Considerations Security policies might enforce policies which affect the personal space on the device (e.g. device passcode, restrictions) Data being managed must be on a device that is not managed by another solution (e.g. only one MDM can exist) End user perception of privacy concerns
Ideal For Line-of-business & corporate dedicated devices Executives / Board of Directors with sensitive data BYOD deployments Organization wanting the devices to connect and join the corporate network
Benefits Provides protection & visibility over corporate data on device without managing the device Dual persona – personal and corporate apps and data are accessed separately on a device. Avoid OS enrollment prompts warning users of intrusive MDM capabilities and privacy concerns Unique passcode and email client separating corporate from personal Identical corporate experience across Android manufactures & versions
Considerations Cannot install/remove profiles and apps over-the-air automatically Cannot utilize device compliance policies Cannot integrate with native email clients and device passcodes Does not protect user’s personal data Lost devices cannot be fully wiped – even by the employee
Ideal For BYOD deployments Complex Android deployments with multiple device manufacturers Users outside of your organization you are collaborating with
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 10
3.3 Enrollment Authentication The type of user authentication you choose depends on the amount of back-end setup work required by the administrator and the number of login required by the end-user on the device at enrollment. If you want the enrollment process to be as simple as possible for the end-user, the administrator must do more work to set up the back-end infrastructure. Likewise, a lighter workload for the administrator typically means there are more steps required for the end-user.
Basic Authentication - Basic Authentication can be utilized by any AirWatch architecture, but offers no integration to existing corporate user accounts. Active Directory / LDAP Authentication - Active Directory / LDAP authentication is utilized to integrate user and admin accounts of AirWatch with existing corporate accounts. Authentication Proxy - Authentication Proxy is an AirWatch proprietary solution delivering directory services integration across the cloud or across hardened internal networks. In this model, the AirWatch MDM server communicates with a publicly-facing web server or an Exchange ActiveSync Server that is able to authenticate users against the domain controller. This method can only be used when organizations have a public-facing web server with hooks into the corporate domain controller. VMware Identity Manager – Identity Manager is a SAML authentication solution that offers single signon support and federated authentication – AirWatch never receives any corporate credentials. If an organization has another SAML Identity Provider server, SAML 2.0 integration is recommended. Token-based Authentication - AirWatch generates a token, which is placed within the enrollment URL. For single-token authentication, the user accesses the link from the device to complete enrollment and the AirWatch server references the token provided to the user.
Recommendations: For a typical corporate deployment, AirWatch recommends using Basic or Active Directory enrollment with Auto-Discovery enabled. (If Active Directory enrollment is being utilized in On Premise environments, AirWatch recommends configuring this at the Company level, not the Global level.) If two-factor authentication is required for security reasons, please speak with your consultant on how to best achieve this. AirWatch always recommends utilizing agent based enrollment to ensure the greatest amount of functionality. If you have additional questions on enrollment, please discuss these with your Deployments Consultant, or reference the AirWatch Enrollment Process Guide.
3.4 Apple Device Enrollment Program (DEP) The Device Enrollment Program from Apple is designed to help enterprises and educational institutions simplify the MDM enrollment process for IT departments and end-users. The Device Enrollment Program enables enterprises to automatically install MDM profiles onto devices during the initial device setup process as well as supervise iOS devices over-the-air. Prior to the Device Enrollment Program, in order to supervise a device, it had to be tethered via USB to a computer running Apple Configurator. Learn more about this program with the AirWatch Guide for the Apple Device Enrollment Program (DEP) . AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 11
Recommendations: AirWatch recommends the use of the Device Enrollment Program if it is available to you. When using DEP enrollment, we recommend pushing the AirWatch Agent as a managed app.
3.5 Android for Work Google is making Android more secure for enterprises by providing data separation and security through a program called Android for Work. Android for Work not only improves Bring You Own Device (BYOD) programs but also allows enterprises to deploy corporate owned devices that are enterprise ready. Android for Work offers two modes depending on the ownership of the device being used within your organization. The Android for Work “Work Profile” mode creates a dedicated space on the device for only work applications and data. The Work Profile does not allow AirWatch to control the entire device. For devices that are being deployed to end users as corporate owned, “Work Managed Device” mode allows AirWatch and IT admin to control the entire device. The benefits of Android for Work include:
Removes the fragmentation of manageability on Android devices, which standardizes the core components of Android on the same operating systems across all devices regardless of manufacturer. Integrates the use of Google applications for business purposes to provide personal and work profiles in a single, unified launcher.
Recommendations: Customers should plan on migrating their device fleet to Android for Work enabled devices over the next 2-3 years in order to be able to utilize the greatest amount of functionality for their Android devices.
3.6 AutoDiscovery AirWatch AutoDiscovery allows your end users to enroll their device using information they already know (corporate email address), rather than having to enter the AirWatch Server URL and Group ID. Learn more about AutoDiscovery enrollment with the Guide to Simplified Enrollment with AutoDiscovery .
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 12
Recommendations: AirWatch recommends the use of AutoDiscovery for enrollment for standard corporate deployments if it is an option.
3.7 Terms of Use Policy Use built-in Terms of Use to ensure that all users with managed devices have agreed to the policy. The Terms of Use displays during device enrollment and must be accepted by the user before proceeding with enrollment. The AirWatch Admin Console allows you to fully customize each Terms of Use and assign a unique Terms of Use to each Organization Group and Child Organization Group. Recommendations: AirWatch provides sample Terms of Use policies for Corporate deployments. This sample can be found in Appendix 1. **Please note that this Terms of Use is an example only and should not be considered a legally binding contract. Always consult with your Legal team before publishing your corporate Terms of Use policy.**
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 13
3.8 Enrollment Restrictions Enrollment Restrictions allow you to customize enrollment policies by Organization Group and User Group roles, including the ability to:
Create and assign existing enrollment Restrictions policies using the Policy Settings.
Blacklist or whitelist devices by platform, operating system, UDID, IMEI, etc.
Using the bottom configuration checkboxes, you may also choose to restrict enrollment to only known users or users that are a member of configured groups, and specify whether administrators in child location groups are allowed to create, edit and assign restriction policies.
Recommendations: AirWatch recommends making the following enrollment restrictions for typical deployments:
Require Apple devices to be on the latest version of each OS that you wish to support to prevent potential security risks Require Android devices be on Android version 4.0 or higher; you may also enforce Android requirements by certain device type or OEM
Restrict device ownership types you don’t plan to support
Limit the number of devices that a user can enroll based on licenses purchased
Restrict any OS that you do not wish to support
Keep in mind that multiple enrollment restrictions can be put in place and assigned to user groups
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 14
4. MDM Setup and Policies 4.1 AirWatch Profiles Profiles are the primary means by which you can manage devices. You can think of profiles as the settings and rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They contain the settings, configurations, and restrictions that you want to enforce on devices. Create profiles for each platform type, and configure a payload, which are the individual settings you configure, such as those for passcodes, Wi-Fi, restrictions, or VPN, for each one. Recommendations: AirWatch recommends only setting up one payload per profile. This allows you to more easily make changes and updates to specific payloads without adversely impacting end users. Passcode and Restrictions profiles (or other required setting s) should have “Allow Removal” set to Never to prevent the end user from getting around the policy. AirWatch also recommends using the following naming convention when creating profiles: Payload Type – Assignment Group Please refer to the device platform guides for more information on device specific profiles and settings.
4.2 Passcode Profiles End users access sensitive corporate information from their devices, making device security a major enterprise concern. Setting a passcode policy requires your end users to enter a passcode, providing a first layer of defense for sensitive data on devices. When configuring a Passcode profile, consider: Complexity – simple passcodes for quick access or alphanumeric passcodes for security
Auto-Lock – secure idle devices with short lock time
Maximum Passcode Age – enforce renewal of passcodes at selected interval Maximum Failed Attempts – prevent unauthorized access by fully wiping after a set number of failed attempts
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 15
Recommendations: AirWatch guidelines on passcode complexity are as follows: 1 – Minimal Complexity
2 – Moderate Complexity
3 – High Complexity
Recommended Policy Allow Simple Value: Yes Require Alphanumeric: No Min Number of Complex Characters: 0 Min Passcode Length: 4 Max Age: None History: None Auto Lock Timeout: 15 minutes Max Failed Attempts: 10
Recommended Policy Allow Simple Value: No Require Alphanumeric: No Min Number of Complex Characters: 0 Min Passcode Length: 6 Max Age: 90 History: 3 Auto Lock Timeout 10 minutes: Max Failed Attempts:8
Recommended Policy Allow Simple Value: No Require Alphanumeric: Yes Min Number of Complex Characters: 2 Min Passcode Length: 8 Max Age:30 History: 5 Auto Lock Timeout:3 minutes Max Failed Attempts:5
Ideal For BYOD Devices without sensitive apps, content, or data
Ideal For Most organizations requiring strong security without compromising user experience
Ideal For Devices with highly sensitive data Executives / Board of Directors Finance / Government Customers
4.3 Restriction Profiles Restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where your employees use their devices. They are typically used to prevent an end user from performing a specific action on their device. When configuring a Restrictions profile, consider: Platform – options vary based on OEM and OS
Device Functionality – disable specific device functions to align with the device's purpose
Applications – remove access to non-productive native apps
Data Loss Prevention – force encryption and disable SD card access, USB and cloud backups
Recommendations: All device restrictions are to be set by the prerogative of the client.
4.4 Enforcing Device Compliance Another aspect of securing managed devices in your fleet is the Compliance Engine, AirWatch's automated tool to ensure all devices adhere to your policies. Your policies may include basic security settings such as requiring a passcode and minimum device lock period. You may also decide to set password strength, blacklist certain apps and require device check-in intervals to ensure devices are safe and in-contact with the AirWatch servers. AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 16
Once configuration is complete and devices are out of compliance, the Compliance Engine begins to warn the user to fix compliance errors to prevent disciplinary action on the device. For example, if a user loads blacklisted games or social media apps onto their device, the Compliance Engine sends a message to notify the user that their device is out of compliance. If the errors aren't corrected in the amount of time specified, the device loses access to certain content and applications. You may even automate the escalation process if corrections aren't made. Lock the device down and notify the user to contact you to unlock the device. These escalation steps, disciplinary actions, grace periods and message are all completely customizable with the AirWatch Admin Console. Enforcing mobile security policies is as easy as:
Building your policies – Customize your policy to cover everything from application list, compromised status, encryption, model and OS version, passcode and roaming Defining escalation – Configure time-based actions in minutes, hours or days and take a tiered approach to those actions Specifying actions – Send SMS, email or push notifications to the user's device or send an e-mail only to an Administrator. Request device check-in, remove or block specific profiles, install compliance profiles, remove or block apps and perform an enterprise wipe
Recommendations: As with profiles, AirWatch recommends only configuring one compliance rule per policy. We recommend setting up specific policies based on the table below. All other policies are to be configured per the prerogative of the client. Compliance Policy Android iOS Windows 10 Windows 10 Mac OS X Mobile * † Passcode X NA * Encryption X Compromised Status NA NA NA Last Compromised Scan NA NA NA ** Terms of Use Acceptance Antivirus Status NA NA NA NA OS Version Application List NA NA *For iOS devices, AirWatch recommends NOT setting a compliance profile for Passcode or Encryption. This is automatically enforced through the passcode/encryption profile as long as “Allow Removal” in the General settings is set to “never”. **Compliance policies for Terms of Use Acceptance will only be enforced when pushing out a new Terms of Use, but not with the initial acceptance that is required with enrollment †When enabling passcode compliance on Windows Phone devices, we recommend ensuring a passcode exists on the phone prior to setting up compliance.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 17
4.5 Privacy Policy Configuring privacy settings according to device ownership allows you to easily adhere to data privacy laws in other countries or legally-defined restrictions and even ensure certain IT checks and balances are in place, preventing overload of servers and systems. Recommendations: The default privacy settings in your console are set to Air Watch’s best practice for all device ownership types. Customers may adjust the settings as needed to comply with any country or industry standards.
4.6 Privacy First The AirWatch Privacy First program is a new feature in version 8.3 that provides more transparent information to end users on the information and settings being managed by AirWatch MDM. Privacy First is not a replacement for the End User License Agreement or Terms of Use, but rather additional information that the user always has access to regarding their privacy. This program aims to encourage BYOD adoption by providing details on what AirWatch can and cannot do on users’ phones. Recommendations: AirWatch recommends enabling Privacy First for all Employee Owned devices. Customers should always review their privacy settings prior enabling Privacy First. The default privacy settings in the AirWatch console should be set to our recommendations to avoid any potential privacy violations. Please note that Privacy First is not intended to replace an official Terms of Use.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 18
5. MAM Setup and Policies 5.1 Deploying and Managing Applications Distribute, secure and track mobile applications across your mobile fleet with the AirWatch’s Mobile Application Management capabilities directly from the AirWatch Admin Console. These consist of the following three types of applications:
Internal applications - Applications developed by your organization that you may not necessarily want to be in a public app store. Since internal applications are company-specific applications, you can obtain the application file from your developers and upload it to the AirWatch Admin Console. Once the internal application is uploaded, you can manage the application's settings and deployment over-the-air from the AirWatch Admin Console alongside publicly available applications or applications purchased in bulk. Install, remove and update the application wirelessly and with minimal end-user interaction. Additionally, take advantage of available AirWatch SDK and App Wrapping features to maximize your internal application's potential. Public Applications - Many of the applications available within public app stores can be used to enhance the business interactions that take place on your managed devices. Deploy and manage some of these applications from the AirWatch Admin Console for the specific groups and users within your organization. Purchased Applications - If you want to distribute a public or B2B application to hundreds or thousands of iOS devices or users, you may consider using the Apple Volume Purchase Program (VPP). The Apple VPP enables organizations to purchase publicly available applications or specifically developed third-party applications in bulk for distribution.
Recommendations: AirWatch makes the following recommendations in regards to deploying applications:
Always create a required app list o
This should include the AirWatch Agent and any other enterprise apps you want to enable your users to access
Create a blacklist when o
Blacklist high risk or inappropriate apps
o
Blacklist apps that can facilitate data loss (e.g. cloud storage apps)
o
If devices are on a corporate data plan, blacklist video or music streaming apps
If App Groups (blacklist, whitelist, etc.) are created, a compliance policy should be set up to enforce the requirements Web Applications (in Apps & Books) should be used over Web Clip profiles whenever possible
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 19
5.2 Deploying the Enterprise App Catalog After you configure your public applications, internal applications and purchased applications in the AirWatch Admin Console, you can deploy an Enterprise App Catalog to your end-users, which will let them access those applications. While the AirWatch Admin Console allows you to manage applications over-the-air in a centralized location, the App Catalog serves as a one-stop shop for your end-users to access applications based on the settings you established in the AirWatch Admin Console. The AirWatch App Catalog is where users can do the following tasks:
View and install recommended public, internal, purchased or web applications.
Browse and filter applications by type and category.
Receive notifications on application updates for both managed and unmanaged applications.
Install application updates for managed applications.
Add ratings and comments for public, internal or purchased applications.
View overall rating for the applications based on ratings provided by other users and view specific comments provided by other users. View application status whether an application is Not Installed, Installed, Needs Update or is Blocked.
Recommendations: AirWatch recommends the use of the app catalog for all deployments that are pushing applications to their users. The app catalog should be pushed as a seeded app upon enrollment, rather than through a manual profile.
5.3 Deploying Applications using Apple Volume Purchase Program (VPP) If you want to distribute a public or B2B application to hundreds or thousands of iOS devices or users, you may consider using the Apple Volume Purchase Program (VPP). The Apple VPP enables organizations to purchase publicly available applications or specifically developed third-party applications in bulk for distribution. Any paid application from the App Store is available for volume purchase at the existing App Store price. Custom B2B applications can be free or purchased at a price set by the developer. If your organization uses free public iOS apps collected through the Apple VPP, AirWatch can distribute these apps, as well. Recommendations: AirWatch recommends using the Licensed-Based method of deploying apps over the Order-Based method. With the Licensed-Based method, apps can be assigned out, revoked, and reassigned without the loss of a license. Once a license has been redeemed using the Order-Based method, it cannot be recycled. If you are pushing public applications, we recommend pushing these as VPP applications.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 20
With the release of iOS 9, Apple now provides support for both user based VPP and device based VPP. Device based VPP is recommended in situations where Apple IDs may not be present on devices (education, retail, etc.). User based VPP is recommended if Apple IDs will be on the devices and if users have multiple devices that the application is needed on. If user based VPP is being utilized, a 1-1 user to Apple ID is recommended. To ensure that all apps deployed using license-based VPP can be managed from the AirWatch console, it is recommended that a unique Apple ID be used on each device. The preferred way to revoke a license is through the User. Unenroll all devices from a user and then delete the User from the AirWatch Console. You may then re-add the user into the console after they have been removed. The AirWatch Console will revoke the license so that it is now available for reuse. If you will be migrating a VPP token from one environment to another, please speak to an AirWatch agent prior to doings so.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 21
6. AirWatch Application Security Settings and Policies Through the AirWatch Admin Console, company administrators have the ability to change security settings for AirWatch applications. The following sections give information and recommendations regarding editing the Default SDK profile for these apps. These settings can also be configured in custom SDK profiles, but AirWatch recommends against the use of custom SDK profiles unless you have a specific use case for an application.
6.1 Authentication Through the AirWatch Container, you can designate a requirement to access AirWatch applications or wrapped applications. Configurable options are a passcode, username and password, or no authentication. Please consider the following when determining authentication type:
Passcode – Designates a local passcode requirement for AirWatch applications or wrapped applications that have the default settings profile applied to them. Device users set their passcode on the device at the application level when they first access the application. Username and Password – Requires a user to authenticate to AirWatch using the AirWatch credentials. Set these credentials when you add users in the Accounts area of the AirWatch Admin Console. Disabled – Requires no authentication to access the application
Recommendations: For a Container deployment, AirWatch recommends the use of a passcode to secure Container applications. A moderately complex passcode should be used to promote ease of use for end users while maintaining corporate security. See Section 4.2 for more guidelines on password complexity.
6.2 Single Sign On Single-Sign-On works in conjunction with Container authentication by allowing your end users to enter their credentials only once during the SSO session in order to access Container applications. If SSO is disabled, users must enter a separate passcode or credentials for each individual application. Recommendations: AirWatch recommends the use of Single-Sign-On with containerized applications. If a specific application within Container has different requirements, a Custom SDK profile can be configured and require different authentication for that app. Please speak with your Deployments engineer for more information on Custom SDK profiles. AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 22
6.3 Integrated Authentication Integrated Authentication allows user credentials to be passed on from enrollment to other allowed sites/apps to provide more seamless use. Recommendations: AirWatch recommends the use of Integrated Authentication for ease of use unless you have strict security policies that require a sign in for each application or site.
6.4 Offline Access Enabling offline access gives your end users the ability to access corporate resources using the SSO identity when the device is offline. Recommendations: Administrators should create a policy for offline access that weighs the benefit of this access against potential loss of security. We recommend against always allowing offline access, but the time frame should be determined by your company policy.
6.5 Compromised Protection Compromised protection can be enabled to automatically perform an Enterprise Wipe if the device is detected as compromised. An Enterprise Wipe will remove all corporate data from the device and unenroll the user. Recommendations: AirWatch recommends the use of Compromised Protection for BYOD deployments to reduce security risks.
6.6 AirWatch App Tunnel The AirWatch App Tunnel allows an application to communicate through a VPN or reverse proxy to access internal resources such as SharePoint or other intranet sites. The App Tunnel can integrate with the AirWatch Mobile Access Gateway, an F5 proxy, or a Standard Proxy. Recommendations: AirWatch recommends the use of the Mobile Access Gateway with the AirWatch App Tunnel.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 23
6.7 Data Loss Prevention This feature allows administrators to protect sensitive data within applications by blocking end users from performing certain actions. These actions include Copy and Paste, Printing, Camera, Composing Emails, Data Backup, Location Services, Bluetooth, Watermark, and limiting documents to open only in approved apps. Keep in mind that Data Loss Prevention is not specifically available for Container, but it is available for applications contained in the Container. Recommendations: AirWatch recommends the use of Data Loss Prevention if you have sensitive information within the Container applications that you are tr ying to protect. We do recommend setting “Limit Documents to Only Open in Approved Apps” to only open in AirWatch applications (Content Locker, Browser, Inbox, or Wrapped/SDK enabled corporate apps).
6.8 Network Access Control This feature allows the administrator to configure the type of network access an application is allowed to use. If enabled, the admin can control when a device is allowed to use both a cellular connection and a Wi-Fi connection. Recommendations: AirWatch recommends that Network Access Control is disabled unless you have a specific use case that requires limitation to the network access of your Container or AirWatch applications.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 24
7. MEM Setup and Policies 7.1 Deploying Corporate Email AirWatch provides advanced Mobile Email Management (MEM) solutions through email access control and data loss prevention capabilities which are not provided by the native mail infrastructure. Corporate email is established on devices with an Exchange ActiveSync (EAS) payload. When configuring an EAS payload, consider: SSL – Use SSL to encrypt mail traffic.
Look-up Values – Leverage user account information to simplify authentication.
Data-loss Prevention – Prevent access in third-party email clients and moving messages.
Email Platform – Choose the email client for select Android devices and iOS devices.
AirWatch allows customers to push mail through the native application or through an email container, depending on device type. The table below provides recommendations for when to deploy corporate email through the native email client or through a separate email container. Clients have the option of using the AirWatch Inbox, Touchdown, or Traveler clients if they opt for the containerized experience.
Native Experience
Containerized Experience
Access mail via the out-of-box m ail application on your device
Access mail via AirWatch Inbox applicat ion
Benefits Intuitive native user experience One mail client contains all mail on device Some platforms have built-in containerization (e.g. iOS 7) No cost or third-party application required – built in support
Benefits Separation of corporate and personal mail into different app containers Deliver email to a device not managed by MDM Advanced DLP features: disable copy & paste, inbox passcode, etc. Encrypt attachments without use of SEG proxy
Considerations Corporate and personal mail located within same application Some platforms don’t support things like additional PIN for email and copy/past blocking
Considerations Requires a third-party application Different mail clients for personal and corporate mail on device Unique experience from native mail application
Ideal For Businesses with moderate email security requirements Businesses valuing the native email experience on a device
Ideal For Businesses utilizing AirWatch Container Regulated users with DLP requirements to block copy/paste on device Android BYOD users for a consistent email experience across manufacturers
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 25
Recommendations: We recommend the AirWatch Inbox for Android devices for cross OEM support and for iOS devices if email containerization is required. Other considerations may need to be made if email attachment encryption is being utilized.
7.2 Email Notification Service Presently, the AirWatch Inbox on iOS devices syncs email from the Exchange server at a regular interval of time. When a new email is available on the Exchange, Inbox fetches the message ID and displays a notification to the device locally. This is only possible when the Inbox is running in the background and starts polling with Exchange for some time duration. This time duration is decided by the operating system. Periodic manual syncs from the Inbox may lead to battery drainage. With AirWatch 8.2+, it is possible to receive real time email notifications in your AirWatch Inbox installed iOS device. The AirWatch Email Notification Service (ENS) communicates with AirWatch and maintains the latest set of enrolled iOS devices that have AirWatch Inbox installed. It then creates a persistent connection between ENS and Exchange server. On receiving a new message from Exchange, ENS pushes this message event to the specific device user via the Cloud Notification Service (CNS) and the Apple Push Notification Service (APNS). Recommendations: AirWatch recommends the use of ENS when looking for real time email notifications for iOS devices using the AirWatch Inbox. Use of ENS can also reduce battery drain on these devices from preventing the need to manually sync mail.
7.3 Protecting Your Email Infrastructure In order to take advantage of AirWatch's Mobile Email Management features and ultimately protect your mail infrastructure, you must first configure one of AirWatch’s MEM models:
Visibility Only
PowerShell Integration
Gateway Approach
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 26
Models 2 and 3 below provide a very similar set of MEM capabilities and are, for the most part, selected solely based on what type of email infrastructure you are utilizing. AirWatch recommends that you use the following models based on your email infrastructure and security requirements:
1 – Configuration Only
2 – PowerShell Integration
3 – Gateway Approach
Features View managed devices with email deployed Remotely push/revoke email No additional setup required
Features View devices connected to email server Remotely push/revoke email Blacklist unmanaged devices from access Enable advanced troubleshooting
Features View real time details about devices connected to email server Remotely push/revoke email Blacklist unmanaged devices from access Enable advanced troubleshooting Content Transformation
Considerations Unmanaged Devices may still connect directly to email server No email access control to block devices from accessing mail when non-compliant
Ideal For Businesses with moderate email security requirements
Considerations Requires Exchange 2010/2013 or Office 365 architecture Additional setup required No real time details about unmanaged devices attempting to connect to exchange
Ideal For Businesses wanting email access control without proxying email
Considerations Requires Exchange 2003+, Lotus Notes, GroupWise, or other EAS based architecture Lightweight on-premise architecture required
Ideal For Businesses with strict email security requirements with supported architecture
Recommendations:
AirWatch recommends using PowerShell with Office 365 and Microsoft Exchange 2010 and above environments. If a large number of devices (greater than 50,000) will be enrolled into your environment, additional considerations may need to be made. PowerShell is typically used with the AirWatch Cloud Connecter server. If you are integrating PowerShell with Office 365, the AirWatch Cloud Connecter is not required. If PowerShell is being utilized, AirWatch recommends enabling PowerShell before you begin enrolling devices to streamline the admin and end-user experience. Compliance policies or restricted access can be enabled later if desired. AirWatch recommends syncing mailboxes to the Console during the initial configuration. Additional syncs post integration can cause overhead on the system and unwanted notifications to end-users. If installing the Secure Email Gateway, AirWatch recommends installing the component on its own server when possible. It can be combined with other servers if cost is an issue, but we do not support it being installed on an EAS server. AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 27
Regardless of the email management approach used, AirWatch recommends creating an EAS profile for all platforms that could potentially be enrolled before any devices are enrolled. AirWatch also recommends against the use of email on shared devices .
7.4 Enforcing Email Access Control Now that email has been deployed, you can further protect your mobile mail with access control to only allow secure, compliant devices to access your mail infrastructure. AirWatch recommends using mobile email access control to restrict mail from:
Inactive or un-managed devices
Compromised or Non-encrypted
Devices from older Make/Model/OS
Recommendations: AirWatch makes the following recommendations in regards to email compliance:
Email compliance should not be used to enforce a policy that can be enforced through MDM compliance
All devices should be on allowed list before you turn on compliance to block users
Always block unmanaged devices
Do not use mail client compliance because of the frequent updates that are made to clients and the potential of blocking mail from your users Block devices based on device inactivity in order to prevent unmanaged devices from accessing corporate mail
7.5 Protecting Email Attachments & Hyperlinks Opening email attachments on mobile devices often require the use of external reader applications. However, as they leave the corporate mailbox, they immediately become vulnerable to data loss. Even worse, these attachments typically contain your most sensitive corporate information. Protect your corporate materials by gaining control over mobile email attachments. Through the Secure Email Gateway AirWatch provides the feature of securing your email attachment for both managed and un-managed devices.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 28
Recommendations: Attachment encryption is to be used per the prerogative of the client. Basic security clients typically do not require this level of security, but we do recommend it for high security clients. If you do choose to use email attachment encryption, the following chart gives AirWatch’s recommendations for whether to use a compliance policy or the mail client’s built in attachment encryption. Attachment Encryption
iOS Android Windows 10 Mobile Windows 10
Native
AW Inbox
Email Profile Setting
Mail Client
Compliance Policy + SEG
Mail Client
Compliance Policy + SEG
Mail Client
Compliance Policy + SEG
Mail Client
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 29
8. MCM Setup and Policies The use of mobile devices in the enterprise makes accessing corporate content easier and more convenient than ever before, as documents can be shared and read on-the-go via mobile devices. However, the benefits of accessibility come with increased security concerns for protecting sensitive corporate information. Some security concerns you face when deploying content are: allowing employees to securely access corporate data from devices, providing easy access to information and updating content in bulk.
8.1 AirWatch Content Locker The AirWatch Mobile Content Management solution helps your organization address the challenge of securely deploying content to a wide variety of devices through the Content Locker. The Mobile Content Management Guide explains how to deploy and manage content from the AirWatch Admin Console as well as configure the Content Locker to utilize advanced content management solutions including:
Ensuring data security
Syncing with AirWatch Content Repositories
Syncing with 3 rd Party repositories hosted internally or in the cloud
Uploading content to the AirWatch Admin Console
Providing secure distribution
Integrating personal content
8.2 Integrating with Content Repositories Integrate into your existing corporate infrastructure to update and manage content in one system. After your initial setup, AirWatch maintains a synchronous relationship with repositories of up to 200 folders. Once integration is established, end-users can access up-to-date content from the Content Locker anywhere in the world. You can administer two types of repositories from the AirWatch Admin Console:
Admin Repositories integrate with your existing repository structure to send software, files and other content to devices. User Repositories allow administrators to dynamically assign each end-user a custom repository link. End-users may also have the option to manually create their own repositories from the Self Service Portal.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 30
8.3 Configuring AirWatch Browser Settings The first step in setting up the AirWatch Browser is configuring its settings in the AirWatch Admin Console. These basic settings allow you to specify the behavior of your browser, from the completely locked down Kiosk Mode, to the more flexible, but equally secure, Restricted Mode. You may also create allowed or denied URL lists to restrict the domains that users are able to browse to. After configuring general settings, provide a list of bookmarks to make available as shortcuts for your endusers. Bookmarks allow your end-users to maximize their efficiency, taking them directly to the sites they utilize most frequently.
8.4 Content Locker Collaborate Content Locker Collaborate allows end users to create or modify files stored in a network or SharePoint directory. Repositories can be configured as Edit and/or Write enabled with advanced configurations allowing the ability to enable/disable editing of specific files within a repository. Users also have the option of creating new documents within the Content Locker, and saving locally or uploading the file to a write-enabled repository.
8.5 Personal Content Personal content is a stand-alone feature that can be used in conjunction with Admin or User repositories. This feature allows users to easily sync their content between Content Locker on their devices, Content Locker Sync on their Windows or Mac computer, as well as available in the SSP. Following the reference sheet in the MCM Guide will set allocation of storage and user permission’s. We offer the ability to control folder sharing, the ability to email, print, and opening documents. For more flexible storage sizing options, or to meet requirements to store content on-premise, the RFS allows SaaS customer to store end-users’ personal content at an endpoint of their choosing.
MCM Recommendations: AirWatch recommends using the Default SDK settings for AirWatch applications unless you have a specific requirement. For agent based OS, be sure to set your SDK profile V2 to the default settings. AirWatch recommends enabling a time limit for offline access for users based on the company’s security concerns. If you are using Personal Content, AirWatch recommends changing the default Self-Service-Portal login page to content, rather than device management with the use of user roles. AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 31
To ensure data loss prevention, AirWatch recommends the following settings per document and per repository:
Restrict copy and paste
Restrict printing
Restrict data backup
Disable analytics and logging
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 32
9. Device Specific Recommendations AirWatch provides some recommendations that pertain to only certain device types or operating systems. Please review the sections below for more information.
9.1 iOS Recommendations Please consider the following items when using AirWatch with iOS devices:
The Apple Device Enrollment Program should be utilized for corporate devices whenever possible
Device supervision is recommended to ensure the greatest level of functionality
Although it is not required for enrollment, the AirWatch Agent should always be pushed to devices as a managed application for full MDM functionality
9.2 Android Recommendations Please consider the following items when using AirWatch with Android devices:
Android for Work or Knox Mobile Enrollment should be utilized whenever possible If your corporate devices are not currently eligible for Android for Work or Samsung Bulk Enrollment, you should plan on migrating your device fleet to Android for Work or Knox Mobile Enrollment enabled devices over the next 2 to 3 years. o
Android for Work carrier and device manufacturer information can be found here.
o
More information on Samsung Bulk Enrollment can be found here.
OEM specific settings or the AirWatch Secure Launcher should be used in conjunction with Android for Work (or in place of if phone is not eligible) to add more device customization. Android for Work is recommended in conjunction with VMware Identity Manager AirWatch Service applications for Androids should be set to “Push Service App from Play Store” to maintain device security o
Additional considerations may need to be made if Internal applications are being published
9.3 Mac OS X Recommendations Please consider the following items when using AirWatch with Mac OS X devices:
The Apple Device Enrollment Program should be utilized for corporate devices whenever possible
If enrolling domain joined devices, AirWatch recommends:
o
Standard Single User Staging if the device will be assigned to only 1 user
o
Multi User Staging if the device will be shared between different users
If enrolling non domain joined device, AirWatch recommends: AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 33
o
Advanced Single User Staging to enroll on behalf of a user
o
Agent based enrollment if the user will be enrolling their own device
If device imaging is currently part of your IT process, enrollment through the “Export” method is recommended For more information on any of these processes as well as additional enrollment options, please see the AirWatch Mac OS X Platform Guide . The following considerations should be made when applying profiles to Mac OS X devices: o
All system level profiles should be set as a Device Profile
o
User profiles should be set when applied settings should change depending on current user
o
We recommend the use of the “Security and Privacy” profile with the default options checked
o
o
If applying a Credentials payload, always leave “allow export from keychain” unchecked to prevent users from exporting your private key from the keychain AirWatch recommends preventing unapproved updates through a “Software Updates” profile in order to ensure updates won’t cause internal issues
More information can be found here on requirements for this configuration
o
Only push restrictions to a User Profile when using shared devices
o
Use the Global HTTP Proxy payload to restrict websites
Applications should be pushed to Mac OS X devices through one of the following methods (in preferred order): o
Volume Purchase Program
o
.APP files
o
Standard Product Provisioning
o
Multi-Step Product Provisioning
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 34
Appendix 1: Corporate Sample Terms of Use By enrolling this device, employees are agreeing to be bound by these Terms and Conditions and agree that you are responsible for compliance with any applicable rules. Consent to the installation of a Mobile Device Management application, including any restrictions it may enforce and access it may give to ___________ support personnel. Employees are required to read and become familiar with the usage policy provided by Company for the Equipment. 1. Usage Terms Equipment is intended for use at work. Users are expected to responsibly use the equipment for the intended purpose. Use of equipment other than deemed necessary may be restricted for work hours or permanently at any time without prior notice 2. Privacy ____________ understands the privacy concerns of the participants enrolling the devices. However, ____________ may require access to the device in order to review or retain copies of information on the device to comply with legal requirements or in cases in which the company has a reasonable basis to believe there has been an infringement of this policy such that Confidential Information may have been compromised. The privacy and dignity of the user will be respected to the extent possible. ____________ may collect personal data including, but not limited to, GPS Data, Roaming Status, Cellular Data Usage, Call Usage, SMS Usage, Personal Applications, File Manager Access and Registry Manager. Any device may be remote controlled, un-enrolled or enterprise wiped at any time without prior notice. Any device not owned by the employee may also be factory reset/fully wiped at any time if necessary. 3. Alteration Employees are not permitted to remove or alter any Profiles that may install with the MDM enrollment. Any alteration or removal of profiles without prior permission from the MDM administrator will result in the appropriate action. Any attempt to violate or bypass the MDM implementation will result in immediate disconnection from all resources, and there may be additional consequences in accordance with the company’s overarching security policy. 4. Equipment Issues and Support Employees shall not remove profiles or un-enroll their devices upon facing issues and will be required to call the company for any technical support relating to the MDM enrollment. If the company is not able to provide the required assistance, it shall refer to AirWatch for the support. 5. Loss and Damage Employee shall take reasonable and prudent care to maintain the Equipment in good condition and protect it from loss, theft, or damage. Employee shall bear the risk for lost, stolen, or damaged Equipment and components from the date Employee receives delivery of the Equipment until the return of the Equipment to ___________. Employee agrees to report all incidents of theft of or damage to the Equipment within twenty four hours of Employee’s knowledge of the loss to their local law enforcement. Company and Employee shall cooperate fully with the appropriate local law enforcement agencies in completing all necessary reports.
AirWatch Recommended Configuration Gui de | v.2016.03 | March 2016 Copyright © 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 35