As the Novell Product Manager for Mobile Device Management it’s great to see rapid development of new capabilities again. After a hiatus earlier in the year, we’ve released 2.9, 2.9.1 and now 3.0. I expect another release or two before the year is out. Today I want to give you a quick overview of what’s new and why you care. I’ll also cover a key feature that we introduced in 2.9.1 since I was too heads down the last release to get a blog out.

New iOS Management Capabilities

With iOS 7.0.1 Apple introduced two key new capabilities – the Device Enrollment Program (DEP) and a new token-based Volume Purchasing Program (VPP). Both of these programs are designed to provide additional control over employer owned resources. In the case of DEP, the program allows you to supervise iOS devices over-the-air and without the need for the Apple iOS Configurator. DEP also allows you to configure those to devices to require enrollment with the MDM server at the time of initial device setup. The new VPP solution provides the ability for companies to purchase applications for their users, deploy those applications an automatically provision the licenses to their users, and then if the user leaves retract the license. This is a significant improvement over the initial Redemption Code based VPP solution offered in iOS 6 in which after license provisioning the license was now owned by the end user.

Device Enrollment Program Support (ZENworks Mobile Management 3.0)

ZENworks Mobile Management adds support for managing DEP managed devices. Before discussing the hows, there are a few things you should know:

• • In order for a device to be enrolled with DEP, your company must be a member of the DEP program. This requires that you have an Apple customer number that you are using to purchase your devices directly from Apple.

• • In 3.0 ZENworks Mobile Management supports DEP devices in an “app-less” mode. This means that all of the core iOS management capabilities provided by the iOS MDM agent such as pushing applications, enforcing policies, configuring email can be managed. However, ZENworks app specific capabilities such as location detection, file sharing, and user initiated application installs are unavailable. This will be addressed in the next version of ZMM and will include the ability to deploy and provision the application using the iOS MDM app push capabilities.

Configuring DEP support in ZENworks for your DEP enrolled devices is a relatively straightforward process. The key steps are:

1. 1. From the ZENworks console select to upload a DEP token.

1. 1. Download the public key using the link provided in the console.

1. 1. In Apple’s DEP portal, create a new MDM server, using the public key you downloaded.

1. 1. Download the DEP server token from the portal.

1. 1. Assign devices to the MDM server and optionally mark it as the default MDM server.

1. 1. Upload the DEP server token into the ZMM console.

1. 1. On the Users page there will now be a DEP devices link in the upper right, click that.

1. 1. To configure how the device setup wizard will work, click Manage profile and configure the settings and then save it. The profile is then assigned to any devices assigned to the server in the DEP portal.

Once these steps have been done then during the initial iOS welcome wizard the user will be prompted to connect to the ZENworks server with their LDAP or other ZMM credentials. This will cause the device to enroll with ZENworks. Once enrolled any policies or applications assigned will be distributed to the device. The video below shows the end-to-end process.




CAUTION: There is an option in the console to disown a DEP device. This detaches the device from the organization’s record in Apple’s system. This operation is permanent and cannot be undone.

Volume Purchase Program v2 (ZMM 2.9.1)

With ZENworks Mobile Management 2.9.1 and higher Apple’s token based VPP solution is supported for devices running iOS 7.0.1 and higher. Devices running iOS 6.x will continue to require Redemption Codes. To use ZENworks Mobile Management in conjunction with VPP do the following:

1. 1. Login to the Apple VPP portal and download the VPP token.

1. 1. Upload the VPP token to the ZENworks console.

1. 1. Synchronize with Apple. This will read all of the VPP purchase data and create managed applications for any applications that you have purchased through VPP.

1. 1. Invite users to enroll. This normally occurs as soon as you upload the VPP token, but can be done manually as well. This causes a notification to occur on the device prompting the user to provide their Apple iTunes account being used on the device. When provided this links their iTunes account to your organization’s VPP account so that your MDM server can assign VPP tokens to users that are part of the organization.

After these steps are performed it’s simply a matter of assigning the managed applications in the same way as you normally would. When the application is pushed or pulled, the MDM server will check for an available VPP token, and assuming one is available will make a call to Apple’s server indicating that the associated user should be given the token. The application will then be deployed to the device. If the user leaves the company, resulting in all of his devices being removed from the system, then the VPP token is returned to the pool and can be redeployed to another user.

The video below demonstrates how to configure and use VPP 2.0 in ZENworks Mobile Management 2.9.1 and higher:

New Android Management Capabilities

Our focus for Android has been to embrace the Samsung specific capabilities available in Samsung SAFE and KNOX enabled devices. With this release there are a number of policies for SAFE/KNOX devices that provide significantly improvement capability for securing the Samsung device. This is just the first release of ZENworks to support SAFE and KNOX so you can expect us to continue to push out new SAFE and KNOX capabilities over the next several releases. We also believe this effort will be something we can leverage to quickly support many of the new capabilities that Samsung graciously donated back to the Android project for Android L.

KNOX EMM Policies

KNOX Enterprise Mobile Management (EMM) is the current name for the set of capabilities that provides enhancement management controls for Samsung devices. In the past this has also been known as Samsung SAFE and Samsung KNOX Standard. KNOX EMM provides a fairly comprehensive set of capabilities for securing and configuring the device. In many cases these capabilities go above and beyond the capabilities offered on the iOS platform. In ZENworks Mobile Management 3.0 the following KNOX capabilities have been introduced:

• • Kiosk Mode / Alternate Home Screen Controls
    These settings in the KNOX EMM Policy allow you to restrict the device so that only a single application can be executed (such as a POS application) or configure an alternate home screen such that only Managed applications can be executed. Alternate home screen also provides additional capabilities allowing you to restrict access to other device controls such as the task manager, status bar, and more.

• • Application, Browser, and Device Feature controls
    These settings allow you to control many aspects of the device such as whether OTA upgrades of the OS are allowed, whether screen captures are allowed, allowing sharing of the clipboard, restricting use of the play store or settings, and many more. There are numerous options available via the Samsung API and additional policy settings will be added over time.

• • Enhanced Password Management
    KNOX EMM provides a robust set of enterprise grade password controls that can be enforced on the device. This includes customizable blacklisting of passwords, history, password change time outs, complex character requirements, and more.

• • Automated Provisioning of Managed Email in Samsung Email app
    Finally the Knox EMM API provides a means to automatically provision email into the Samsung email app. This means that when you enroll the device with ZENworks, it will be automatically be provisioned with the user’s corporate email, instead of requiring the user to manually configure it.

Future versions of ZENworks Mobile Management will continue to extend on this set of capabilities to include other important capabilities. If you have specific KNOX EMM capabilities you’d like to see added on a priority basis, please let me know.

The video below shows a brief demo of the KNOX EMM capabilities:



 

KNOX Workspace Management

KNOX Workspace is the name for Samsung’s BYOD container technology. This technology allows you to deploy applications, email and other configuration within a secure container or workspace on the Android device. KNOX Workspace capabilities require the purchase of a KNOX Workspace license from Samsung or a Samsung KNOX reseller. Once you have acquired a KNOX Workspace license you can inject that license into the ZENworks console and ZENworks will take care of provisioning the license automatically to devices that support KNOX Workspace and that have been configured to have a container.

ZENworks Mobile Management 3.0 provides a limited set of KNOX Workspace management capabilities. These include:

• • Container provisioning and password controls
    In the KNOX Workspace policy, the first thing you can do is choosing whether a device should get a container. If this setting is enabled, a license has been added to the system, and the device supports KNOX Workspace then the container will be automatically provisioned on the device. Additionally you can configure password settings that are specific to the container.

• • Email provisioning within the container
    When a device is configure to use a KNOX Workspace container, the corporate email account is provisioned within the container instead of on the host device. This keeps your corporate email separate and secure from the rest of the device. Only other applications within the container will be able to access the contents of the email.

• • Restrictions within the container
    A limited set of restrictions including share list management, camera access, and secure keypad usage can be configured for the container.

Additional capabilities will be added in the upcoming releases of ZENworks Mobile Management. Many of these capabilities will likely be extended to support Android L in upcoming releases as well. The following video demonstrates KNOX Workspace policies:

Other Enhancements

ZENworks Mobile Management also provides a few key enhancements that cut across the management platforms. These include:

• • Support for authenticating to a SAML identity provider at enrollment time. This allows you to use a tool such as Novell Access Manager to validate the user’s credentials before enrollment occurs.

• • Managed apps now display as a Corporate Resource under the User in the console and can now be assigned directly to the user as well as groups and folders.

• • Support for unlimited devices per user.

• • A new policy setting for Allow user to remove enrollment that can be used to prevent unenrollment of the device from ZENworks.

As you can see we’re still hard at work building out new capabilities to make your job easier when it comes to managing the mobile device in your environment. Until next time I hope you find that these capabilities ease your job and improve your user’s experience.