Documente Academic
Documente Profesional
Documente Cultură
Configuration Guide
Effective: March 1st, 2016
Page 1
Contents
1. Introduction ............................................................................................................... 4
Page 2
6.3 Integrated Authentication ........................................................................................................... 23
6.4 Offline Access ............................................................................................................................ 23
6.5 Compromised Protection ........................................................................................................... 23
6.6 AirWatch App Tunnel ................................................................................................................. 23
6.7 Data Loss Prevention................................................................................................................. 24
6.8 Network Access Control............................................................................................................. 24
Page 3
1. Introduction
The AirWatch Admin Console provides a centralized solution to view and manage every aspect of your MDM
deployment. Quickly and easily add new devices and users to your fleet, manage profiles and configure
system settings all within a single, web-based resource. The configuration guide for Bundled Customers
provides a walkthrough and worksheet for completing the core functionality that should be considered prior to
deploying your devices. This guide will cover the following areas:
AirWatch Console Setup
Enrollment Options and Settings
Security Setup
MDM Settings and Policies
MEM Setup and Policies
MAM Setup and Policies
MCM Setup and Policies
Additional Setup Options
All recommendations in this guide are given for a typical corporate deployment. If you do not fall into this
category or have concerns about a specific setup option, please first consult with your Deployments Engineer.
Page 4
2. AirWatch Foundational Elements
2.1 Defining Organization Groups
AirWatch identifies users and establishes permissions using Organization Groups. With Organization Groups,
you can establish an MDM hierarchy identical to your organization's internal hierarchy. Alternatively, you may
choose to establish Organization Groups depending on features and content that will be accessed from sets of
devices.
Recommendations:
AirWatch recommends that customers make their organization group structure as flat as possible to minimize
unneeded manual administrative tasks when making changes to your deployment. If Administrators for your
environment will need access to only specific groups or levels, Organization Groups are the easiest way to
achieve this segmentation. Additionally we recommend configuring Organization groups for your Production
environment and for Testing purposes. Speak with your consultant for more information on setting this up.
Many customers choose to structure their Organization Groups to mirror their existing Active Directory/LDAP
Organization Unit structure. A one-to-one relationship is then created between AD Organization Unit and
AirWatch Organization Groups. During enrollment, AirWatch will automatically place devices into the
corresponding OG based on the users Organization Unit settings. Although this structure will work, typically
this method is more granular than most customers need in their environment.
When enrolling both Corporate and BYOD devices, specific consideration is required to ensure that these
devices can be managed in an appropriate manner to ensure both privacy and accurate device configuration.
One of the following approaches is typically selected to automate the configuration of these devices:
1. Enable a setting in the AirWatch Console to prompt the user during the enrollment process to select
which type of device they are enrolling (Corporate Dedicated or Employee Owned).
2. Set your default ownership type to Employee Owned and pre-register all Corporate Owned devices,
setting their ownership type to Corporate Owned.
If you opt to separate your Organization Groups by device ownership type, please be aware of the following
drawbacks:
It can be difficult to move devices and users between Organization Groups
Page 5
Your entire structure (including profiles, policies and settings) may need to be duplicated
*For non-typical corporate deployment (Education, Retail, etc.), further considerations will need to be made.
Please discuss these with your Deployments Engineer.
Recommendations:
Enable your AD/LDAP to sync automatically with AirWatch to regularly update user and group
information
Unless you plan on restricting enrollment to only pre-approved users, it is unnecessary to bulk
import/sync user groups from your LDAP prior to enrollment
o Users will be created in AirWatch as they enroll
Map User Groups to desired Organization Groups so users are automatically enrolled into the desired
OG
Assign apps, profiles and compliance policies to different User Groups with the use of Assignment
Groups (User Groups, Smart Groups and Organization Groups)
Assign content to different users with the use of User Groups
*AirWatch recommends against manually selecting more than 500 devices when setting up smart
groups.
Page 6
2.3 Managing Administrators and Role-Based Access
Similar to how AirWatch has user accounts to keep track of users with devices, AirWatch administrator
accounts keep track of who has access to the AirWatch Admin Console. As an administrator, you can maintain
MDM settings, push or revoke features and content and much more from the centralized AirWatch Admin
Console.
Although many organizations have multiple administrators of their managed device fleet, each administrator
may require different levels of access depending on their specific corporate role. Admin Account roles provide
the proper level of access for different administrators. The AirWatch Admin Console allows a quick way to
change roles by simply selecting a new role from the Account Role dropdown box within the Account menu in
the top-right corner of the Console.
For ease of use, there are numerous Default Roles already provided by AirWatch from which you may select.
These default roles are available with every AirWatch upgrade and help quickly assign roles to new users. If
you require further customization, you have the option to create Custom Roles to further tailor the admin
privileges and permissions. Unlike default roles, custom roles require manual updates with every AirWatch
upgrade.
Recommendations:
AirWatch recommends setting up a separate Admin account for each person who will be logging in to the
Console. We also recommend the use of Default Roles over Custom Roles to avoid manual updates after
upgrades.
For On-Premise customers, AirWatch recommends that you maintain a basic administrator account at the
Global Organization Group level with System Administrator privileges. Additional basic or directory admin
accounts can be configured as needed.
Recommendations:
AirWatch recommends the use of the Self Service Portal for most deployments in order to capitalize on the
benefits listed above.
Page 7
2.5 Managing User Roles
By defining user roles within the AirWatch Admin Console, you can set who has access to the Self Service
Portal (SSP) and what actions logged-in users can perform. Full Access and Basic Access user roles have
been added by default, but additional roles can be added for BYOD users.
Recommendations:
When defining custom user roles, AirWatch strongly recommends duplicating the Full Access role and re-
naming it to [COMPANY] Full Access. Then the Administrator can change the end user access for their
custom role based on the companys policies and goals. This custom role should then be set as the default
end-user role in the Admin Console.
Recommendations:
For the deployment of corporate owned devices, AirWatch recommends enabling a notification to email the
Administrator if a corporate device is unenrolled or a device is blocked by an enrollment restriction.
Page 8
3. Identity and Access Management
Page 9
Full device security, flexible monitoring, management, and Management visibility and enforcement only over the corporate
enforcement over the entire lifecycle of a device. apps and data on the device. Complete containerization of
corporate apps and data from personal via the Container
Benefits
application.
Provides full protection & visibility of all data on device
Ease of access directly into both personal and corporate Benefits
apps Provides protection & visibility over corporate data on device
Extensive management capabilities including without managing the device
install/remove profiles and apps over-the-air Dual persona personal and corporate apps and data are
Flexible privacy policy enforcement to restrict IT from accessed separately on a device.
intrusive data and capabilities from console Avoid OS enrollment prompts warning users of intrusive
Provides integration with Samsung KNOX MDM capabilities and privacy concerns
Offers integration into native email client & device Unique passcode and email client separating corporate from
passcodes personal
Still provides all containerization capabilities of Container Identical corporate experience across Android manufactures
& versions
Considerations
Security policies might enforce policies which affect the Considerations
personal space on the device (e.g. device passcode, Cannot install/remove profiles and apps over-the-air
restrictions) automatically
Data being managed must be on a device that is not Cannot utilize device compliance policies
managed by another solution (e.g. only one MDM can Cannot integrate with native email clients and device
exist) passcodes
End user perception of privacy concerns Does not protect users personal data
Lost devices cannot be fully wiped even by the employee
Ideal For
Line-of-business & corporate dedicated devices Ideal For
Executives / Board of Directors with sensitive data BYOD deployments
BYOD deployments Complex Android deployments with multiple device
Organization wanting the devices to connect and join the manufacturers
corporate network Users outside of your organization you are collaborating with
Page 10
3.3 Enrollment Authentication
The type of user authentication you choose depends on the amount of back-end setup work required by the
administrator and the number of login required by the end-user on the device at enrollment. If you want the
enrollment process to be as simple as possible for the end-user, the administrator must do more work to set up
the back-end infrastructure. Likewise, a lighter workload for the administrator typically means there are more
steps required for the end-user.
Basic Authentication - Basic Authentication can be utilized by any AirWatch architecture, but offers no
integration to existing corporate user accounts.
Active Directory / LDAP Authentication - Active Directory / LDAP authentication is utilized to
integrate user and admin accounts of AirWatch with existing corporate accounts.
Authentication Proxy - Authentication Proxy is an AirWatch proprietary solution delivering directory
services integration across the cloud or across hardened internal networks. In this model, the AirWatch
MDM server communicates with a publicly-facing web server or an Exchange ActiveSync Server that is
able to authenticate users against the domain controller. This method can only be used when
organizations have a public-facing web server with hooks into the corporate domain controller.
VMware Identity Manager Identity Manager is a SAML authentication solution that offers single sign-
on support and federated authentication AirWatch never receives any corporate credentials. If an
organization has another SAML Identity Provider server, SAML 2.0 integration is recommended.
Token-based Authentication - AirWatch generates a token, which is placed within the enrollment
URL. For single-token authentication, the user accesses the link from the device to complete enrollment
and the AirWatch server references the token provided to the user.
Recommendations:
For a typical corporate deployment, AirWatch recommends using Basic or Active Directory enrollment with
Auto-Discovery enabled. (If Active Directory enrollment is being utilized in On Premise environments,
AirWatch recommends configuring this at the Company level, not the Global level.) If two-factor authentication
is required for security reasons, please speak with your consultant on how to best achieve this. AirWatch
always recommends utilizing agent based enrollment to ensure the greatest amount of functionality.
If you have additional questions on enrollment, please discuss these with your Deployments Consultant, or
reference the AirWatch Enrollment Process Guide.
Page 11
Recommendations:
AirWatch recommends the use of the Device Enrollment Program if it is available to you. When using DEP
enrollment, we recommend pushing the AirWatch Agent as a managed app.
Android for Work offers two modes depending on the ownership of the device being used within your
organization. The Android for Work Work Profile mode creates a dedicated space on the device for only work
applications and data. The Work Profile does not allow AirWatch to control the entire device. For devices that
are being deployed to end users as corporate owned, Work Managed Device mode allows AirWatch and
IT admin to control the entire device.
Recommendations:
Customers should plan on migrating their device fleet to Android for Work enabled devices over the next 2-3
years in order to be able to utilize the greatest amount of functionality for their Android devices.
3.6 AutoDiscovery
AirWatch AutoDiscovery allows your end users to enroll their device using information they already know
(corporate email address), rather than having to enter the AirWatch Server URL and Group ID. Learn more
about AutoDiscovery enrollment with the Guide to Simplified Enrollment with AutoDiscovery.
Page 12
Recommendations:
AirWatch recommends the use of AutoDiscovery for enrollment for standard corporate deployments if it is an
option.
Recommendations:
AirWatch provides sample Terms of Use policies for Corporate deployments. This sample can be found in
Appendix 1.
**Please note that this Terms of Use is an example only and should not be considered a legally binding
contract. Always consult with your Legal team before publishing your corporate Terms of Use policy.**
Page 13
3.8 Enrollment Restrictions
Enrollment Restrictions allow you to customize enrollment policies by Organization Group and User Group
roles, including the ability to:
Create and assign existing enrollment Restrictions policies using the Policy Settings.
Blacklist or whitelist devices by platform, operating system, UDID, IMEI, etc.
Using the bottom configuration checkboxes, you may also choose to restrict enrollment to only known
users or users that are a member of configured groups, and specify whether administrators in child
location groups are allowed to create, edit and assign restriction policies.
Recommendations:
AirWatch recommends making the following enrollment restrictions for typical deployments:
Require Apple devices to be on the latest version of each OS that you wish to support to prevent
potential security risks
Require Android devices be on Android version 4.0 or higher; you may also enforce Android
requirements by certain device type or OEM
Restrict device ownership types you dont plan to support
Limit the number of devices that a user can enroll based on licenses purchased
Restrict any OS that you do not wish to support
Keep in mind that multiple enrollment restrictions can be put in place and assigned to user groups
Page 14
4. MDM Setup and Policies
4.1 AirWatch Profiles
Profiles are the primary means by which you can manage devices. You can think of profiles as the settings and
rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They
contain the settings, configurations, and restrictions that you want to enforce on devices. Create profiles for
each platform type, and configure a payload, which are the individual settings you configure, such as those for
passcodes, Wi-Fi, restrictions, or VPN, for each one.
Recommendations:
AirWatch recommends only setting up one payload per profile. This allows you to more easily make changes
and updates to specific payloads without adversely impacting end users. Passcode and Restrictions profiles
(or other required settings) should have Allow Removal set to Never to prevent the end user from getting
around the policy. AirWatch also recommends using the following naming convention when creating profiles:
Payload Type Assignment Group
Please refer to the device platform guides for more information on device specific profiles and settings.
Page 15
Recommendations:
AirWatch guidelines on passcode complexity are as follows:
Recommendations:
All device restrictions are to be set by the prerogative of the client.
Page 16
Once configuration is complete and devices are out of compliance, the Compliance Engine begins to warn the
user to fix compliance errors to prevent disciplinary action on the device. For example, if a user loads
blacklisted games or social media apps onto their device, the Compliance Engine sends a message to notify
the user that their device is out of compliance. If the errors aren't corrected in the amount of time specified, the
device loses access to certain content and applications. You may even automate the escalation process if
corrections aren't made. Lock the device down and notify the user to contact you to unlock the device. These
escalation steps, disciplinary actions, grace periods and message are all completely customizable with the
AirWatch Admin Console. Enforcing mobile security policies is as easy as:
Building your policies Customize your policy to cover everything from application list, compromised
status, encryption, model and OS version, passcode and roaming
Defining escalation Configure time-based actions in minutes, hours or days and take a tiered
approach to those actions
Specifying actions Send SMS, email or push notifications to the user's device or send an e-mail only
to an Administrator. Request device check-in, remove or block specific profiles, install compliance
profiles, remove or block apps and perform an enterprise wipe
Recommendations:
As with profiles, AirWatch recommends only configuring one compliance rule per policy. We recommend
setting up specific policies based on the table below. All other policies are to be configured per the prerogative
of the client.
Compliance Policy Android iOS Windows 10 Windows 10 Mac OS X
Mobile
Passcode X* NA
Encryption X*
Compromised Status NA NA NA
Last Compromised Scan NA NA NA
Terms of Use Acceptance**
Antivirus Status NA NA NA NA
OS Version
Application List NA NA
*For iOS devices, AirWatch recommends NOT setting a compliance profile for Passcode or Encryption. This is automatically enforced
through the passcode/encryption profile as long as Allow Removal in the General settings is set to never.
**Compliance policies for Terms of Use Acceptance will only be enforced when pushing out a new Terms of Use, but not with the initial
acceptance that is required with enrollment
When enabling passcode compliance on Windows Phone devices, we recommend ensuring a passcode exists on the phone prior to
setting up compliance.
Page 17
4.5 Privacy Policy
Configuring privacy settings according to device ownership allows you to easily adhere to data privacy laws in
other countries or legally-defined restrictions and even ensure certain IT checks and balances are in place,
preventing overload of servers and systems.
Recommendations:
The default privacy settings in your console are set to AirWatchs best practice for all device ownership types.
Customers may adjust the settings as needed to comply with any country or industry standards.
Recommendations:
AirWatch recommends enabling Privacy First for all Employee Owned devices. Customers should always
review their privacy settings prior enabling Privacy First. The default privacy settings in the AirWatch console
should be set to our recommendations to avoid any potential privacy violations. Please note that Privacy First
is not intended to replace an official Terms of Use.
Page 18
5. MAM Setup and Policies
5.1 Deploying and Managing Applications
Distribute, secure and track mobile applications across your mobile fleet with the AirWatchs Mobile Application
Management capabilities directly from the AirWatch Admin Console. These consist of the following three types
of applications:
Internal applications - Applications developed by your organization that you may not necessarily want
to be in a public app store. Since internal applications are company-specific applications, you can
obtain the application file from your developers and upload it to the AirWatch Admin Console. Once the
internal application is uploaded, you can manage the application's settings and deployment over-the-air
from the AirWatch Admin Console alongside publicly available applications or applications purchased in
bulk. Install, remove and update the application wirelessly and with minimal end-user interaction.
Additionally, take advantage of available AirWatch SDK and App Wrapping features to maximize your
internal application's potential.
Public Applications - Many of the applications available within public app stores can be used to
enhance the business interactions that take place on your managed devices. Deploy and manage
some of these applications from the AirWatch Admin Console for the specific groups and users within
your organization.
Purchased Applications - If you want to distribute a public or B2B application to hundreds or
thousands of iOS devices or users, you may consider using the Apple Volume Purchase Program
(VPP). The Apple VPP enables organizations to purchase publicly available applications or specifically
developed third-party applications in bulk for distribution.
Recommendations:
AirWatch makes the following recommendations in regards to deploying applications:
Always create a required app list
o This should include the AirWatch Agent and any other enterprise apps you want to enable your
users to access
Create a blacklist when
o Blacklist high risk or inappropriate apps
o Blacklist apps that can facilitate data loss (e.g. cloud storage apps)
o If devices are on a corporate data plan, blacklist video or music streaming apps
If App Groups (blacklist, whitelist, etc.) are created, a compliance policy should be set up to enforce the
requirements
Web Applications (in Apps & Books) should be used over Web Clip profiles whenever possible
Page 19
5.2 Deploying the Enterprise App Catalog
After you configure your public applications, internal applications and purchased applications in the AirWatch
Admin Console, you can deploy an Enterprise App Catalog to your end-users, which will let them access those
applications. While the AirWatch Admin Console allows you to manage applications over-the-air in a
centralized location, the App Catalog serves as a one-stop shop for your end-users to access applications
based on the settings you established in the AirWatch Admin Console.
The AirWatch App Catalog is where users can do the following tasks:
View and install recommended public, internal, purchased or web applications.
Browse and filter applications by type and category.
Receive notifications on application updates for both managed and unmanaged applications.
Install application updates for managed applications.
Add ratings and comments for public, internal or purchased applications.
View overall rating for the applications based on ratings provided by other users and view specific
comments provided by other users.
View application status whether an application is Not Installed, Installed, Needs Update or is Blocked.
Recommendations:
AirWatch recommends the use of the app catalog for all deployments that are pushing applications to their
users. The app catalog should be pushed as a seeded app upon enrollment, rather than through a manual
profile.
Recommendations:
AirWatch recommends using the Licensed-Based method of deploying apps over the Order-Based method.
With the Licensed-Based method, apps can be assigned out, revoked, and reassigned without the loss of a
license. Once a license has been redeemed using the Order-Based method, it cannot be recycled. If you are
pushing public applications, we recommend pushing these as VPP applications.
Page 20
With the release of iOS 9, Apple now provides support for both user based VPP and device based VPP.
Device based VPP is recommended in situations where Apple IDs may not be present on devices (education,
retail, etc.). User based VPP is recommended if Apple IDs will be on the devices and if users have multiple
devices that the application is needed on. If user based VPP is being utilized, a 1-1 user to Apple ID is
recommended.
To ensure that all apps deployed using license-based VPP can be managed from the AirWatch console, it is
recommended that a unique Apple ID be used on each device.
The preferred way to revoke a license is through the User. Unenroll all devices from a user and then delete
the User from the AirWatch Console. You may then re-add the user into the console after they have been
removed. The AirWatch Console will revoke the license so that it is now available for reuse. If you will be
migrating a VPP token from one environment to another, please speak to an AirWatch agent prior to doings so.
Page 21
6. AirWatch Application Security Settings and Policies
Through the AirWatch Admin Console, company administrators have the ability to change security settings for
AirWatch applications. The following sections give information and recommendations regarding editing the
Default SDK profile for these apps. These settings can also be configured in custom SDK profiles, but
AirWatch recommends against the use of custom SDK profiles unless you have a specific use case for an
application.
6.1 Authentication
Through the AirWatch Container, you can designate a requirement to access AirWatch applications or
wrapped applications. Configurable options are a passcode, username and password, or no authentication.
Please consider the following when determining authentication type:
Passcode Designates a local passcode requirement for AirWatch applications or wrapped
applications that have the default settings profile applied to them. Device users set their passcode on
the device at the application level when they first access the application.
Username and Password Requires a user to authenticate to AirWatch using the AirWatch
credentials. Set these credentials when you add users in the Accounts area of the AirWatch Admin
Console.
Disabled Requires no authentication to access the application
Recommendations:
For a Container deployment, AirWatch recommends the use of a passcode to secure Container applications. A
moderately complex passcode should be used to promote ease of use for end users while maintaining
corporate security. See Section 4.2 for more guidelines on password complexity.
Recommendations:
AirWatch recommends the use of Single-Sign-On with containerized applications. If a specific application
within Container has different requirements, a Custom SDK profile can be configured and require different
authentication for that app. Please speak with your Deployments engineer for more information on Custom
SDK profiles.
Page 22
6.3 Integrated Authentication
Integrated Authentication allows user credentials to be passed on from enrollment to other allowed sites/apps
to provide more seamless use.
Recommendations:
AirWatch recommends the use of Integrated Authentication for ease of use unless you have strict security
policies that require a sign in for each application or site.
Recommendations:
Administrators should create a policy for offline access that weighs the benefit of this access against potential
loss of security. We recommend against always allowing offline access, but the time frame should be
determined by your company policy.
Recommendations:
AirWatch recommends the use of Compromised Protection for BYOD deployments to reduce security risks.
Recommendations:
AirWatch recommends the use of the Mobile Access Gateway with the AirWatch App Tunnel.
Page 23
6.7 Data Loss Prevention
This feature allows administrators to protect sensitive data within applications by blocking end users from
performing certain actions. These actions include Copy and Paste, Printing, Camera, Composing Emails, Data
Backup, Location Services, Bluetooth, Watermark, and limiting documents to open only in approved apps.
Keep in mind that Data Loss Prevention is not specifically available for Container, but it is available for
applications contained in the Container.
Recommendations:
AirWatch recommends the use of Data Loss Prevention if you have sensitive information within the Container
applications that you are trying to protect. We do recommend setting Limit Documents to Only Open in
Approved Apps to only open in AirWatch applications (Content Locker, Browser, Inbox, or Wrapped/SDK-
enabled corporate apps).
Recommendations:
AirWatch recommends that Network Access Control is disabled unless you have a specific use case that
requires limitation to the network access of your Container or AirWatch applications.
Page 24
7. MEM Setup and Policies
7.1 Deploying Corporate Email
AirWatch provides advanced Mobile Email Management (MEM) solutions through email access control and
data loss prevention capabilities which are not provided by the native mail infrastructure.
Corporate email is established on devices with an Exchange ActiveSync (EAS) payload. When configuring an
EAS payload, consider:
SSL Use SSL to encrypt mail traffic.
Look-up Values Leverage user account information to simplify authentication.
Data-loss Prevention Prevent access in third-party email clients and moving messages.
Email Platform Choose the email client for select Android devices and iOS devices.
AirWatch allows customers to push mail through the native application or through an email container,
depending on device type. The table below provides recommendations for when to deploy corporate email
through the native email client or through a separate email container. Clients have the option of using the
AirWatch Inbox, Touchdown, or Traveler clients if they opt for the containerized experience.
Page 25
Recommendations:
We recommend the AirWatch Inbox for Android devices for cross OEM support and for iOS devices if email
containerization is required. Other considerations may need to be made if email attachment encryption is being
utilized.
With AirWatch 8.2+, it is possible to receive real time email notifications in your AirWatch Inbox installed iOS
device. The AirWatch Email Notification Service (ENS) communicates with AirWatch and maintains the latest
set of enrolled iOS devices that have AirWatch Inbox installed. It then creates a persistent connection between
ENS and Exchange server. On receiving a new message from Exchange, ENS pushes this message event to
the specific device user via the Cloud Notification Service (CNS) and the Apple Push Notification
Service (APNS).
Recommendations:
AirWatch recommends the use of ENS when looking for real time email notifications for iOS devices using the
AirWatch Inbox. Use of ENS can also reduce battery drain on these devices from preventing the need to
manually sync mail.
Page 26
Models 2 and 3 below provide a very similar set of MEM capabilities and are, for the most part, selected solely
based on what type of email infrastructure you are utilizing. AirWatch recommends that you use the following
models based on your email infrastructure and security requirements:
Recommendations:
AirWatch recommends using PowerShell with Office 365 and Microsoft Exchange 2010 and above
environments. If a large number of devices (greater than 50,000) will be enrolled into your environment,
additional considerations may need to be made. PowerShell is typically used with the AirWatch Cloud
Connecter server. If you are integrating PowerShell with Office 365, the AirWatch Cloud Connecter is not
required.
If PowerShell is being utilized, AirWatch recommends enabling PowerShell before you begin enrolling devices
to streamline the admin and end-user experience. Compliance policies or restricted access can be enabled
later if desired. AirWatch recommends syncing mailboxes to the Console during the initial configuration.
Additional syncs post integration can cause overhead on the system and unwanted notifications to end-users.
If installing the Secure Email Gateway, AirWatch recommends installing the component on its own server
when possible. It can be combined with other servers if cost is an issue, but we do not support it being installed
on an EAS server.
Page 27
Regardless of the email management approach used, AirWatch recommends creating an EAS profile for all
platforms that could potentially be enrolled before any devices are enrolled. AirWatch also recommends
against the use of email on shared devices.
Recommendations:
AirWatch makes the following recommendations in regards to email compliance:
Email compliance should not be used to enforce a policy that can be enforced through MDM
compliance
All devices should be on allowed list before you turn on compliance to block users
Always block unmanaged devices
Do not use mail client compliance because of the frequent updates that are made to clients and the
potential of blocking mail from your users
Block devices based on device inactivity in order to prevent unmanaged devices from accessing
corporate mail
Page 28
Recommendations:
Attachment encryption is to be used per the prerogative of the client. Basic security clients typically do not
require this level of security, but we do recommend it for high security clients. If you do choose to use email
attachment encryption, the following chart gives AirWatchs recommendations for whether to use a compliance
policy or the mail clients built in attachment encryption.
Attachment Encryption
Native AW Inbox
iOS Email Profile Setting Mail Client
Android Compliance Policy + SEG Mail Client
Windows 10 Mobile Compliance Policy + SEG Mail Client
Windows 10 Compliance Policy + SEG Mail Client
Page 29
8. MCM Setup and Policies
The use of mobile devices in the enterprise makes accessing corporate content easier and more convenient
than ever before, as documents can be shared and read on-the-go via mobile devices. However, the benefits
of accessibility come with increased security concerns for protecting sensitive corporate information.
Some security concerns you face when deploying content are: allowing employees to securely access
corporate data from devices, providing easy access to information and updating content in bulk.
Page 30
8.3 Configuring AirWatch Browser Settings
The first step in setting up the AirWatch Browser is configuring its settings in the AirWatch Admin Console.
These basic settings allow you to specify the behavior of your browser, from the completely locked down Kiosk
Mode, to the more flexible, but equally secure, Restricted Mode. You may also create allowed or denied URL
lists to restrict the domains that users are able to browse to.
After configuring general settings, provide a list of bookmarks to make available as shortcuts for your end-
users. Bookmarks allow your end-users to maximize their efficiency, taking them directly to the sites they utilize
most frequently.
MCM Recommendations:
AirWatch recommends using the Default SDK settings for AirWatch applications unless you have a specific
requirement. For agent based OS, be sure to set your SDK profile V2 to the default settings.
AirWatch recommends enabling a time limit for offline access for users based on the companys security
concerns.
If you are using Personal Content, AirWatch recommends changing the default Self-Service-Portal login page
to content, rather than device management with the use of user roles.
Page 31
To ensure data loss prevention, AirWatch recommends the following settings per document and per repository:
Restrict copy and paste
Restrict printing
Restrict data backup
Disable analytics and logging
Page 32
9. Device Specific Recommendations
AirWatch provides some recommendations that pertain to only certain device types or operating systems.
Please review the sections below for more information.
Page 33
o Advanced Single User Staging to enroll on behalf of a user
o Agent based enrollment if the user will be enrolling their own device
If device imaging is currently part of your IT process, enrollment through the Export method is
recommended
For more information on any of these processes as well as additional enrollment options, please see
the AirWatch Mac OS X Platform Guide.
The following considerations should be made when applying profiles to Mac OS X devices:
o All system level profiles should be set as a Device Profile
o User profiles should be set when applied settings should change depending on current user
o We recommend the use of the Security and Privacy profile with the default options checked
o If applying a Credentials payload, always leave allow export from keychain unchecked to
prevent users from exporting your private key from the keychain
o AirWatch recommends preventing unapproved updates through a Software Updates profile in
order to ensure updates wont cause internal issues
More information can be found here on requirements for this configuration
o Only push restrictions to a User Profile when using shared devices
o Use the Global HTTP Proxy payload to restrict websites
Applications should be pushed to Mac OS X devices through one of the following methods (in preferred
order):
o Volume Purchase Program
o .APP files
o Standard Product Provisioning
o Multi-Step Product Provisioning
Page 34
Appendix 1: Corporate Sample Terms of Use
By enrolling this device, employees are agreeing to be bound by these Terms and Conditions and agree that
you are responsible for compliance with any applicable rules. Consent to the installation of a Mobile Device
Management application, including any restrictions it may enforce and access it may give to ___________
support personnel.
Employees are required to read and become familiar with the usage policy provided by Company for the
Equipment.
1. Usage Terms
Equipment is intended for use at work. Users are expected to responsibly use the equipment for the intended
purpose. Use of equipment other than deemed necessary may be restricted for work hours or permanently at
any time without prior notice
2. Privacy
____________ understands the privacy concerns of the participants enrolling the devices. However,
____________ may require access to the device in order to review or retain copies of information on the
device to comply with legal requirements or in cases in which the company has a reasonable basis to believe
there has been an infringement of this policy such that Confidential Information may have been compromised.
The privacy and dignity of the user will be respected to the extent possible.
____________ may collect personal data including, but not limited to, GPS Data, Roaming Status, Cellular
Data Usage, Call Usage, SMS Usage, Personal Applications, File Manager Access and Registry Manager. Any
device may be remote controlled, un-enrolled or enterprise wiped at any time without prior notice. Any device
not owned by the employee may also be factory reset/fully wiped at any time if necessary.
3. Alteration
Employees are not permitted to remove or alter any Profiles that may install with the MDM enrollment. Any
alteration or removal of profiles without prior permission from the MDM administrator will result in the
appropriate action. Any attempt to violate or bypass the MDM implementation will result in immediate
disconnection from all resources, and there may be additional consequences in accordance with the
companys overarching security policy.
4. Equipment Issues and Support
Employees shall not remove profiles or un-enroll their devices upon facing issues and will be required to call
the company for any technical support relating to the MDM enrollment. If the company is not able to provide
the required assistance, it shall refer to AirWatch for the support.
5. Loss and Damage
Employee shall take reasonable and prudent care to maintain the Equipment in good condition and protect it
from loss, theft, or damage. Employee shall bear the risk for lost, stolen, or damaged Equipment and
components from the date Employee receives delivery of the Equipment until the return of the Equipment to
___________.
Employee agrees to report all incidents of theft of or damage to the Equipment within twenty four hours of
Employees knowledge of the loss to their local law enforcement. Company and Employee shall cooperate fully
with the appropriate local law enforcement agencies in completing all necessary reports.
Page 35
Your device may allow for only the remote wipe of __________ data. This means your personal data is still
vulnerable, and thus it is recommended you also set a device password and take additional security
precautions.
Employee is ultimately responsible for any damage to or loss/theft of the Equipment while in his possession
and shall pay ___________ for any repair/replacement costs for damage to the Equipment and components.
7. Indemnity
Employee is solely responsible for the consequences of any misuse of the Equipment and the liability resulting
from misuse. Employee shall indemnify ___________ for any injuries, damages, or losses incurred due to the
intentional or negligent acts of the Employee. The Employees obligation of indemnification to Company
survives the term of this Agreement.
___________ is not responsible for injuries, damages, penalties, or losses, including legal costs and expenses
incurred by the Employee or other person due to installation of software, transporting the Equipment, or any
other use of Equipment described herein.
___________ is not responsible for unauthorized use of his/her resources, and security of data transmitted on
their information technology resources cannot be guaranteed.
8. Miscellaneous
Employee represents that he or she has the power to bind all of Employees agents and representative, all of
whom shall be bound by these terms. Employee cannot amend this Agreement unless accepted in writing by
an authorized representative of ___________. This Agreement shall constitute the entire agreement between
the parties with regard to the Equipment and any prior understanding or representation of any kind shall not be
binding on either party, except to the extent incorporated herein. The waiver of any right under this Agreement
by either party shall not be construed as a waiver of the same right at a future time or a waiver of any other
right under this Agreement. This Agreement shall be construed and enforced in accordance with the laws of
the __________. The parties acknowledge and expressly agree to waive any and all rights to a trial by jury of
any claim or dispute arising under this Agreement.
9. Terms of Use Modifications
____________ may revise these terms of use for its web site at any time without notice. By using this web site
you are agreeing to be bound by the then current version of these Terms and Conditions of Use.
By signing below, I acknowledge that I have read and understand the conditions stated above and in this
Agreement. I am aware of my responsibilities and the consequences of defaulting on this Agreement.
Page 36