c170 sophos mobile control tech overview
Post on 22-Oct-2015
Embed Size (px)
This module will take you approximately 40 minutes.
Version: March 2012
Copyright 2012 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced,
either in whole or in part, without permissions.
Sophos Mobile Control supports 4 platforms:
- Apple IOS, with Apple iPhones, iPod Touch and iPads
- Google Android with Android smartphones and tablets
- Blackberry devices managed by a Blackberry Enterprise Server
- Windows Mobile
In order to be managed, these mobile devices must be able to connect to the Internet
-via a WIFI connection
-or a mobile phone network connection with data transmission such as 3G or GPRS.
The network services that Sophos Mobile Control uses are:
-HTTPS for all devices
-Apple Push Notification Service for the Apple devices
-Cloud-to-Device-Management service for Android devices
-The network services of the Blackberry Enterpriser server for Blackberry devices
-SMS for all supported smartphones
Mobile devices are identified by several identification methods.
All mobile devices have a unique International Mobile Equipment Identity (IMEI).
All SIM cards have a unique International Mobile Subscriber Identity (IMSI). Additionally active SIM cards are
connected to a Carrier network also called SIM operator with a defined roaming mode.
Each platform uses some settings to identify the model names, manufacturer, build and/or version.
Additionally, Sophos Mobile Control adds the following information to each registered device in its database:
-Name of device
-Description of device
- Smartphone Telephone number
All devices have remote wipe capabilities to remove confidential or sensitive data from lost or stolen devices.
Android and IOS devices have remote lock capabilities. Once locked, a user must know the passcode in order
to unlock the device. If the user forgets the passcode remote unlock allows administrators to reset the
The passcode strength can be enforced on all devices. For example, instead of entering a simple 4 digit
passcode, an organization can require all passcodes to have a minimum of 6 characters using a mixed of
letters and numbers.
All devices, except Android 2 devices, provide basic built-in encryption capabilities.
Application management allows administrators to perform an inventory of all installed applications.
Applications can be deployed directly from Sophos Mobile Control, also called Enterprise App Store,
or from a link to an external store, such as the Apple App Store or the Android Market.
Some platforms, like IOS and Windows Mobile, can allow or forbid downloads and installations of
The configuration settings vary greatly between each platform.
For Apple IOS, the configuration settings are controlled via profiles created by the Apple iPhone configuration
utility, which free tool from Apple. Once configured the profiles are sent over the Internet to the devices using
the Apple Push Notification services (APNs).
For devices running on Android and Windows mobile, the configuration settings are controlled via a Mobile
Device Management agent (MDM agent) such as the SMC agent. Once installed the MDM agent is able to
control these settings by sending a list of commands.
The configuration of Blackberry devices is managed directly on the Blackberry Enterprise Server.
Please note that the list of all the configuration the settings which can be controlled on each platform is
published in a knowledgebase article on the Sophos website.
Exchange Active Synch (EAS) is one of the email applications available on all supported mobile platforms. It
provides secured synchronizations of emails, contacts and calendar over HTTPS.
EAS is available for Microsoft Exchange and other third party mail servers.
When you remove Exchange ActiveSync from your mobile devices all your mail, contacts and calendar data
are wiped from the device.
Please note that SMC can only control one Active Sync ID per device.
Administrators can manage compliance by defining rules such as:
-Whether the mobile device must be managed
-The maximum synchronization gap allowed
-The minimum operating system version required
-A list of blacklisted applications and a list of mandatory applications
-Whether encryption of stored data is required
-Whether IOS devices which are jail broken, or Android devices which are rooted, are allowed
For devices that fall out of compliance the administrator can:
-list the non compliant devices and then take manual actions, such as remove Exchange Active Sync (EAS)
-configure an Exchange Active Sync proxy and automatically disable access to corporate emails
Please take a moment to answer these questions:
In a simple architecture, the Sophos Mobile Control (SMC) server is in the DMZ, directly connected to the
Devices can connect to the SMC server via HTTPS. HTTPS can be used by the mobile devices to download
applications and to connect to the SMC Self Service Portal. This portal is an optional web interface which can
be used directly by the mobile devices owners.
The administrators also use HTTPS to connect to the SMC servers administration console.
On Android 2.2 and Windows mobile the commands are sent to these mobile devices via SMS. The SMC
server uses an HTTPS connection to the Sophos SMS Distribution Center to communicate with it.
HTTPS can also be used by the IOS devices to download applications and to connect to the SMC self service
On Apple IOS, the commands are sent via Apple Push Notification Service. The Sophos SMS Distribution
Center is only used to install provisioning profiles on iPhones and when the administrator sends SMS
messages. The SMS Distribution Center is not used on iPads and iPods Touch.
On Android 2.3, Android 3 and Android 4 the commands are sent via C2DM. On these devices the Sophos
SMS Distribution Center is also optional. It is only used if the administrator wants to initiate the installation by
SMS and when the administrator sends SMS messages. It is not used on Android tablets.
Blackberry devices are managed via the Blackberry Enterprise server.
In a more advanced architecture the SMC server is not in the DMZ. Its is replaced by a reverse proxy, such as
the Sophos ASG UTM.
If you are planning to use the Self Service Portal, Sophos Mobile Control must connect to the Active Directory
Additionally ,if using Exchange Active Sync, Sophos Mobile Control can also integrated with it by restricting
EAS access to devices managed by Sophos Mobile Control. SMTP can be used to do provisioning by email.
The SMC server can also send email reports to the administrator via SMTP.
These are the main system requirements for the SMC server as explained in the release notes. Please note
that the Java JDK and Microsoft SQL server must be installed before running the installation of Sophos Mobile
In order to connect to your SMC server via HTTPS, an HTTPS certificate must be created. Please note than
Android does not support self signed certificates. So for Android, customers need to purchase an SSL
certificate from a trusted third party Certificate Authority (CA). Self signed certificates can be used on IOS as
long as you follow the guidelines in the Sophos knowledgebase.
The Sophos SMS Distribution Center is provided by Sophos as long as the customer has a valid SMC
Apple Push Notification service (APNs) requires an Apple certificate. You can purchase this certificate from
Apple by registering with the IOS Developer Enterprise program. Alternatively, Sophos can provide this
certificate free of charge by following the Sophos registration process.
C2DM requires to have a Google account, such as a Gmail account, signed up for C2DM for the Sophos
Mobile Control agent application.
In order to access your Blackberry Enterprise Server you need to have a BES administrator username and
The main installation steps are:
1. Installation of the Java JDK
2. Installation and configuration of the Microsoft SQL Server using the guidelines in the installation guide
3. Selection of the Install location
4. Database settings
5. Creation of the super admin account and the option to use SMTP and to set Exchange Active Sync proxy
6. If enabled, Configuration of SMTP
7. If enabled, Configuration of the Exchange Active Sync Proxy on the SMC server
8. Configuration of the default Compliance check and Device synchronization intervals
9. Configuration of the HTTPS certificate, which can be self signed or imported from a third party
10. Verification of the license information, especially the server URL, which must match with the SMC URL.
This last step also tests the access to the Apple Push Notification services and the access to the Sophos
SMS Distribution Center.
Once the installation is complete you can monitor the SMC server and its logs from the system tray tool.
Please note that you run the same installer to upgrade a previous version of Sophos Mobile Control.
Once the installation is complete, the next step is to configure the first customer with the customer wizard
You need to provide the customers name and its administrator credentials.
If you plan to use the Self Service Portal , you need to enable it and you need to specify how to connect to
your Active Directory via LDAP.
You can rerun the customer wizard to create additional customers or edit an existing customer. Each
customer has his own management interface and each customer must use a different Active Directory.
Lets look at the typical provisioning steps for IOS devices. The following screenshots are taken from the iPhone setup section in the SMC user guide for Apple IOS.
1. You connect to SMC self service portal as a user or an administrator. On the iPad and iPod Touch you
need to access the portal from a browser running locally on the mobile device. With an iPhone you can
either use the browser on the iPhone or a browser running a PC. The domain specified in the username is
used to identify which customer and with active Directory is used.
2. After login in, you can register a new device
3. After clicking register new device, the company policy is displayed
4. Once you accept the policy terms, you need to select the device platform
5. On iPhones, you need enter the phone number and device description,
On an iPad and an iPod Touch, you only enter the description.
6. On iPhones, a message with a confirmation code is sent to the phone number. You then need to enter the
confirmation code in the portal and a second SMS message is sent with a download link. These steps are
skipped on an iPad and iPod Touch. On these devices the download link appears directly on the portal.
7. After clicking the download link, the mobile device management profile installation page is displayed and
you need to click Install and accept the warning. From that point the communication with the SMC server is done via the Apple Push Notification service.
8. Finally in order to detect Jail broken devices or deploy applications from your own enterprise app store,
you need to download and install the Sophos Mobile Control client from the Apple store. This step is
optional, if you dont need these two features.
9. Once Sophos Mobile Control has been installed and set up on your device, your device is displayed in the
Lets look at the typical provisioning steps for Android devices. The following screenshots are taken from the Android phone setup section in the SMC user guide for Android.
1. Again, once you accept the policy terms, you need to select the device platform
2. On Android, you have the ability to select if the installation is done via a pc and needs a SMS, or if the
installation is done directly by running the browser on the device.
With Android tablets you can only use the second option
3. If you have selected the first option, a message with a confirmation code is sent to the phone number.
You then need to enter the confirmation code in the portal and a second SMS message is sent with a
If you have selected the second option the download link appears directly on the portal.
4. Depending on your system configuration, the Sophos Mobile Control client will be either downloaded
directly from the SMC server, or you may be asked to download it from the Android Market.
5. Once installed, you need to start this client.
6. If you have select the first option in Step 2, you click Active in the Sophos Mobile Control agent, your device receives a confirmation SMS with encrypted content and deletes it automatically.
If you have selected the second option in step 2, you need to click the configuration link in the portal, then
you need to click Active in the Sophos Mobile Control agent. From that point the communication with the SMC server is done via the C2DM service, except on Android
On Android 2.2 and Windows mobile the commands are sent to the mobile devices via SMS. The devices use
an HTTPS connection to the Sophos SMC server to communicate with it.
This is a summary of the deployment options available on IOS, Android and Windows Mobile.
As you can see the deployment can also be initiated by an SMS or an email from an administrator or from a
helpdesk user. In that case the self service portal is optional.
The SMC client application for Apple devices is only available from the Apple App Store. But it is optional if
you dont need to detect Jail broken devices or deploy applications from your own Enterprise App store.
The SMC client application for Android devices is available from the SMC server or Android Market.
The SMC client application for Windows Mobile devices is only available from the SMC server.
Finally the Policy deployment is done:
-by SMS on Android 2.2 and Windows mobile devices
-by Apple Push Notification service on Apple devices
- by C2DM on Android 2.3, Android 3 and Android 4 devices
Please note that Blackberry devices are directly managed vie the Blackberry Enterprise Server.
Please take a moment to answer these questions:
To connect to the SMC server, you enter HTTPS with the server URL.
The administrator interface appears in the language set in your web browser. It is available in English,
German, French and Japanese. For all other languages the interface is set to English.
As we have seen before, Sophos Mobile Control can manage multiple customers, each with their own LDAP
integration. The customer is created by the server set up.
When an administrator logs in he or she needs to specify the customer and the administrator or helpdesk
Please note that all the web interface interactions are logged in the statistics log for audit purposes.
The home page is made of the following areas:
- At the top: A welcome view with information about the user currently logged in
- At the bottom: A dashboard view of the managed devices by status, platforms and device groups
- On the left: A menu used to navigate :
- the sections used by all devices, including Blackberry, such as Task management and Inventory
- the sections only used by IOS, Android and Windows such as Provisioning, Application
management, Configuration management and task Bundles
- the sections only used by Android and Windows devices, such as Command bundles, Backup and
- On the top right a header, with a contextual filter, a link to the home page, a link to the administrators guide and a button to log off.
- At the middle, the following configuration buttons:
1. In Settings, you can specify your personal display preferences, the message used when provisioning via
email on IOS or Android, Configuration of APNS, Configuration of C2DM, Configuration of the BES and
Configuration of the Self service portal
2. In Change password, you can change your users password
3. In User management; you can manage the list of users allowed to connect to the SMC administration
interface. The user types can be administrator (allowed to perform all actions) or a restricted user or
4. In technical contact, you can enter the contact details that will be displayed on the managed mobile
5. In device compliance, you can define your compliance settings
In The Task view you can monitor all existing tasks of the last few days.
Tasks can be:
- Installation or uninstallation tasks
- Bootstrap (which is used for installations of IOS devices)
- Explicit refresh of the device data
- Text SMS
- Profile transfer
- Command transfer or command bundle transfer
-Process activation or deactivation
Older tasks are automatically moved to the task archives.
You can use the filter in the headers to reduce the number of tasks displayed.
You can manage your devices via the Inventory section.
From the device view, you can list the existing devices, create a new device manually, import of list of devices
from a CSV file or from the Blackberry Enterprise Server (BES) or export the list and set device filters.
When selecting a device you can:
-Edit the device properties
-Remove the device
-Display all its properties
From the device properties you can:
-Send an sms text message (if this is a Smartphone)
-Display the device compliance violations
-Show the list of applications installed on this device
-On IOS only, you can show the list of installed profiles and remove them (if you want to wipe the profile data
such as the corporate email, calendar and contact data)
-Add or Remove an Active Directory link
-Refresh the data
-on Android and Windows only, Show the Wifi, GSM and GSM roaming traffic counters
-Allow or disallow ActiveSync email access or set it to automatic
-Lock or unlock the device
-Wipe the device
-On Android only, Show the mobile location in Google maps
-on Android and Windows only, Restore data from a backup
From device group, you can create groups of devices
From SMC client packages, you can see the list of SMC client packages available for provisioning new
devices directly from the SMC server. Please note that the SMC client for IOS is optional and only available
from the Apple app store.
SMC client installation allows you to deploy the SMC client package to Android via an SMS or an email, or Windows mobile via an SMS, without the Self service portal. This task can be run now or at a scheduled date.
IOS MDM client bootstrap allows you to deploy the IOS installation profile to an iPhone via an SMS, or an iPad or iPod Touch via an email, without the Self service portal.
Please note that in order to deploy via an email you need to enter 0 as the phone number of the device.
From Software packages, you can create new packages for Android, IOS and Windows mobile devices.
The packages can provide a link to an application on a software portal such Apple App Store,
Or upload the installation files:
- In IPA format for IOS
- APK format for Android
- CAB format for Windows Mobile
Once created, you can push the installation or uninstall of these software packages from the console.
Alternatively the package can also be installed by the user on Android and IOS using the App store menu in
the SMC application locally on their mobile device. In order to use the App store, the recommendation status
needs to be set to Required, or recommended,
Please note that Enable/disable process is only available on Windows mobile.
In the configuration section, you can create and transfer configuration profiles to IOS, Android and Windows
mobile devices. Each platform has a different method.
With IOS devices you need to use the latest iPhone configuration utility which you can download the Apple website. This tool is updated by Apple every time their release a new feature in the IOS operating system.
When you create a profile with this utility, you can specify whether this profile can be removed by the user,
whether it can be remove with a password, or whether it can never be removed locally from the device.
As a reminder, you can remove IOS profiles remotely from the device management section of the SMC
With Android devices you create a list of commands directly in the SMC console.
With Windows mobile devices, you can edit the profile using the GUI in the SMC console, or create a profile
template from a Windows mobile profile script.
Once created, you can transfer the profiles to a selected list of mobile devices. This task can be run now or at
a scheduled date and time.
With Task bundles, you can create a list of tasks. In one transaction you can:
- Provision the device
- Apply the required policies
- Install the required applications
- Send an SMS text
Once created, you can transfer your task bundles to a selected list of mobile devices or you can use your
bundles in the Self service portal.
With Command bundles, you can create a list of commands for Windows and Android. Once created you can
transfer the commands to your mobile devices or use them in a Task bundle.
We have already seen the SMC Self Service Portal, when we looked at the mobile devices provisioning steps.
The Self Service Portal is configured by clicking settings on the home page. From there, you can select:
- which platform will be active
- which device group the newly registered devices will be part off
- which task bundle will be used to provision the device
And enter your policy agreement text.
To connect to the Self service portal, you enter HTTPS with the server URL, followed by /SSP
The interface appears in the language set in your web browser, like the administration console.
The user needs to enter its domain name and user name. SMC use the domain name to identify which
customer to use, if you have configured several customers on the SMC server.
Once connected the user can:
-Register a new device
-Lock the device
-Wipe the device
-Reconfigure Sophos Mobile Control on your device
-Show the device location if this is an Android device
In Backup, you can schedule backups of your Android and Windows mobile files and directories.
The backup of the SMS messages and the browser bookmarks is optional.
As a reminder, the restore command is run from the device management section.
Traffic counter shows the Wifi, GSM and GSM roaming traffic counters on your Android and Windows mobile
smartphones. If you enable warning, you can show the GSM traffic which exceed the GSM limit in red.
You need an SVG Viewer plug-in if using Internet Explorer as your web browser to display the chart.
Please note that this feature is also available in the device management section.
Please take a moment to answer these questions:
Sophos Mobile Control comes with the following product guides.
To upgrade from a previous version, follow the instructions in the installation guide.
The Sophos knowledgebase provides a large number of articles written by Sophos technical support. You will
find articles covering topics such as:
Firewall ports required for a complete SMC implementation
Latest mobile devices operating systems supported by SMC
How to enable Self sign certificates with IOS devices
How to sign up a Google account for C2DM
SMC product features matrix for each platform
Removal instructions on IOS and Android devices
Sophos provides a SMC evaluation server, where partners and prospective customers can evaluate the
solution using their own mobile devices.
Sophos can create a dedicated evaluation customer account for a maximum of 30 days.
Please note that this environment has no Exchange and no LDAP integration.
We recommend that you run a demonstration to the prospective customers before handing them over their
customer credentials on the SMC eval server.
Please note that the SMC agents must be removed from all mobile devices at the end of the evaluation.
You should now be able to:
describe the main technical capabilities of the solution
run a demonstration
qualify the system requirements
list additional Sophos online resources
Sophos provides other solution of mobile devices
Sophos Mobile Security for Windows mobile protects Windows mobile phones from malicious applications.
Sophos security threat monitor is a free app on the Apple store. It highlights the latest threats and statistics from SophosLabs
IOS and Android devices can use their native VPN client to connect to the Sophos UTM, also know as Astaro Security Gateway.
The following solutions are coming soon:
SafeGuard Cloud Storage reader on IOS and Android will allow you to open encrypted files shared on cloud storage solution such as Dropbox
Sophos Mobile Security for Android will protects Android devices from malicious applications.
Thank you for taking the time to study the Sophos Mobile Control technical overview course. Feedback is
always welcomed as it helps us to improve our courses for you. Please email
[email protected] with your comments.
You can now take your online assessment. This should take around 15 minutes.