Академический Документы
Профессиональный Документы
Культура Документы
6 FP1
Afaria helps you manage all the pieces of your mobile infrastructure, including desktop and laptop computers, and your mobile devices. From a central location, you can keep devices secure, deploy applications, check inventory and provide automatic updates to your frontline workers. This guide provides overviews and step-by-step information about how to install, configure, and begin using the Afaria Server, Afaria Administrator and related applications.
Installing Afaria 6.6 FP1 Document version 6.60.01 Copyright 2010 Sybase, Inc. All rights reserved. This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or technical notes. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be used or copied only in accordance with the terms of that agreement. To order additional documents, U.S. and Canadian customers should call Customer Fulfillment at (800) 685-8225, fax (617) 229-9845. Customers in other countries with a U.S. license agreement may contact Customer Fulfillment via the above fax number. All other international customers should contact their Sybase subsidiary or local distributor. Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior written permission of Sybase, Inc. Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and the marks listed are trademarks of Sybase, Inc. A indicates registration in the United States of America. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. All other company and product names used herein may be trademarks or registered trademarks of the respective companies with which they are associated. Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS 52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies. Sybase, Inc., One Sybase Drive, Dublin, CA 94568
Contents
Afaria Installation and Maintenance............................................................................ 6 Revisions for Document Update Version 6.60.01 ....................................................... 6 Afaria Support Services........................................................................................ 6 Sybase Social Media Channels............................................................................ 6 Afaria Architecture ...................................................................................................... 7 Afaria Server ........................................................................................................ 8 Afaria Administrator.............................................................................................. 8 System Requirements and Release Notes ................................................................. 9 Installing Afaria ......................................................................................................... 10 Installing a Simplified Environment .................................................................... 10 Installing a Standard Environment ..................................................................... 11 Reinstallation...................................................................................................... 11 Upgrade.............................................................................................................. 11 Preparing to Install Afaria.......................................................................................... 12 Creating User Accounts for Installing and Operating Afaria............................... 12 The Afaria Database .......................................................................................... 12 Preparing for Upgrading the Platform ....................................................................... 18 Preparing for Discontinued Server/Client Operations ........................................ 19 Preparing for Continued iOS Device Management ............................................ 20 Preparing for Continued Exchange Access Control Operations ........................ 21 Preparing for Continued SSL Communications.................................................. 22 Preparing for Continued OMA DM Operations................................................... 23 Preparation for Upgrading to the Multitenancy Environment.............................. 24 Preparing for Upgrading Clients................................................................................ 26 Data Security Manager Clients that use Encryption........................................... 26 Clients in the Multitenancy Environment ............................................................ 26 Starting the Afaria 6.6 Setup Program ...................................................................... 27 Locating Product Documentation.............................................................................. 27 Entering or Updating Your License Key.................................................................... 28 Installing an Express Install ...................................................................................... 29 Installing Afaria Server 6.6........................................................................................ 30 Starting the Server Setup Program .................................................................... 30 Selecting Server Options.................................................................................... 33 Selecting Authentication Type............................................................................ 34 Completing the Installation ................................................................................. 36 Installing Afaria Administrator ................................................................................... 37 Verifying Afaria Administrator IIS Settings ......................................................... 38 Changing the IIS Connection Timeout Value ..................................................... 38 Starting Operations ................................................................................................... 40
3
Logging in as the Default User ........................................................................... Adding a Server to the Server List ..................................................................... Users and Roles in Afaria................................................................................... Logging in as an Added User ............................................................................. Starting/Stopping/Restarting the Afaria Server .................................................. Accessing Afaria Administrator from a Remote Location ................................... Server Configuration .......................................................................................... Additional Installation and Resource Items............................................................... Setting Up the OTA Deployment Center................................................................... Getting Prerequisite Components ...................................................................... Installing Apache HTTP Server .......................................................................... Installing PHP Scripting Engine.......................................................................... Installing PHPConcepts PclZip........................................................................... Installing the Deployment Center for an IIS Web Server.................................... Installing the Deployment Center for an Apache Web Server ............................ Deployment Center File Types........................................................................... Deployment Center File Locations ..................................................................... Setting Up Access Control for Microsoft Exchange .................................................. Afaria Access Control for Microsoft Exchange Architecture ............................... Installing the Afaria ISAPI Filter.......................................................................... Setting Up the SMS Gateway ................................................................................... SMS Gateway Third-Party Dependencies.......................................................... Setting Up iOS Features ........................................................................................... Installing the iOS Provisioning Server (Basic) .................................................... Configuring the Certificate Authority................................................................... Optional iOS Implementation Features .............................................................. Adding Payload Signing to the Basic iOS Implementation................................. Reinstalling Afaria iOS Provisioning Server for Signing ..................................... Installing the Afaria SCEP Plug-In Module on the CA........................................ Configuring Secure iOS Connections................................................................. Configuring the Relay Server for iOS Connections ............................................ Setting Up OMA DM Features .................................................................................. Setting Up the Relay Server ..................................................................................... Registering the IIS User Account with ASP.NET ............................................... Copying Relay Server Files................................................................................ Creating IIS Application Pools............................................................................ Updating the Relay Servers IIS Configuration................................................... Editing the Relay Server Configuration .............................................................. Starting and Restarting the Relay Server........................................................... Documentation Resources for Updating Afaria Configuration............................ Planning for Adding a Relay Server to Your Afaria Environment .......................
4
40 41 41 42 43 44 45 49 50 51 52 53 55 56 56 57 58 59 60 63 66 67 68 68 69 71 72 74 75 76 77 78 79 79 80 80 82 82 90 90 91
Configuring Upgraded Clients with Relay Server Data ...................................... Relay Server Bypass.......................................................................................... Installing Afaria 6.6 Feature Pack 1 .......................................................................... Installing the Portal Package Server .................................................................. Upgrading Android Clients from 6.6 to 6.6 FP1.................................................. Create Client Installation Wizard............................................................................... Updating Passwords and Accounts on the Afaria Server ......................................... Removing Afaria Components ..................................................................................
91 91 92 95 96 97 98 99
Afaria Architecture
Afaria Architecture
The Afaria architecture is designed for your enterprise environment to help you manage your desktop and mobile computing devices. The following Afaria terms help to provide an understanding of the Afaria product: Afaria server Afaria is a server-based solution that can operate as a single, standalone server or as multiple servers in a server farm environment. The Afaria server communicates with the Afaria database and additional components or clients as necessary. Standalone Afaria server a single Afaria server operating as the only server in an Afaria installation. The server has a one-to-one relationship with the Afaria database. Afaria server farm multiple Afaria servers operating together in an Afaria installation. The servers have a many-to-one relationship with the Afaria database. A server farm includes one main Afaria server and one or more replication servers. All servers in the farm can access the database and host Afaria client sessions. Peer Afaria servers Afaria servers that operate as separate Afaria installations. Peer servers access different Afaria databases and support different sets of Afaria clients.
Afaria Administrator, the application the Web application that provides an interface for the Afaria server. Use Afaria Administrator to define the server configuration, define access policies for Afaria Administrator users, manage Afaria clients, monitor system activity, and communicate with other Afaria servers. Afaria administrator, the individual the person that installs and operates the Afaria product. Afaria clients user devices, such as handheld devices, smartphones, and laptops that Afaria manages. Clients either have an Afaria agent installed or have a native capability or third-party application that Afaria features use to interact with the hosting device. (Optional) Relay server operates as a proxy for HTTP and HTTPS connections between an Afaria component server, such as an Afaria server or an OMA DM server, and its clients. Using a relay server increases enterprise network security by moving the session connection point from within your firewall to outside your firewall. (Optional) OTA Deployment Center Web server that provides Afaria agent deployment services for your clients. An administrator pushes Afaria agent installation packages out to the deployment center and then sends notices to device holders. Device holders can download the agent directly onto their device for installation. (Optional) iOS provisioning server for iOS client management, the Afaria iOS provisioning server sends configuration payloads to iOS devices. (Optional) Portal Package server for portal package operations, and for content not delivered from another source, the portal package server hosts and serves Afaria application packages to clients. (Optional) OMA DM server runs authenticated sessions with OMA DM clients to deliver messages that manage OMA DM clients. Clients are devices that have native support for device management via OMA DM standards and are known to the Afaria server.
Afaria Architecture
Afaria Server
The Afaria Server program is installed on the server that communicates with the database. The Afaria Server program has no user interface; settings and features are available through the Afaria Administrator Web application. Depending upon your licensing, other Afaria programs that reside on the Afaria server include: Create Client Installation a wizard that guides you through creating an agent installation package. Based on client type, you can choose different options that allow you to deploy the client via the OTA Deployment Center, a companion PC, a network, or client APIs. Software Catalog Editor software reference catalog for Windows software. The Afaria Inventory Manager component references a software catalog when reporting software installed on Windows clients. Channel Viewer lets you run Afaria sessions directly on your server machine. OTA Publisher lets you create and publish packages of agent setup files to a Web server deployment center (Afaria OTA Deployment Center) for deployment to your planned client devices. A device user can download a package from the deployment center to install the Afaria agent on his device without having to connect to a companion PC or network.
Afaria Administrator
Afaria Administrator is the Afaria Server programs interface, a Web-based application that you can access from any computer running appropriate versions of Microsoft .NET and Internet Explorer. Afaria uses role-based access policies to control user rights. Rights are associated with discrete functions in the user interface. An administrator with sufficient access policy rights can use Afaria Administrator to view and manage operations and data. A user with limited rights might be limited to view-only access of a single functional area.
Installing Afaria
Installing Afaria
Follow an installation workflow to install Afaria on a server that does not have the Afaria software installed or when you want to install again to new installation path. An installation workflow defines the process for planning and installing your Afaria environment. Identify the scenario that best describes your situation and requirements: (Evaluation licence only) Installing in a simplified environment Installing in a standard environment, including: A first-time install Installing to a new path
1 2 3
Prepare for the install by creating a Windows user account for operations. Start the setup program. Enter your license key. You must have an evaluation license key to continue.
10
Installing Afaria
Prepare for the install, including creating a Windows user account for operations and establishing your database environment. On your planned Afaria server, enter your license key and complete the Afaria server installation. If your installation is planned to have only one Afaria server, the server is a standalone server. If your installation is planned for a farm, the first server installed is the master or main server.
3 4 5
On your planned administrator server, complete the Afaria Administrator installation. Complete procedures for getting started with operations. (Server farm) For each additional server, prepare for the install by creating a Windows user account for operations, enter your license key, and complete the Afaria server installation. The additional servers in a farm are called farm or replication servers.
Reinstallation
Reinstall Afaria when changing your database, changing the authentication type, adding newly licensed features or capacity, or repairing Afaria. Reinstallation is re-running an installation on an Afaria server or administrator server that already has the same version of Afaria installed. Reinstalling is appropriate for repairing problems associated with corrupted or deleted files, and for making certain types of changes to your current installation.
Upgrade
Upgrade is running an installation on an Afaria server or administrator server that has a version of Afaria installed that is supported on the upgrade path. An upgrade is defined as upgrading the complete environment; the clients must upgrade along with the server and administrator components. Follow an upgrade workflow to install a more recent version without having to uninstall and install new. You can upgrade to Afaria 6.6 from any 6.0 SP1 or 6.5 configuration.
11
Create a Windows user account with appropriate attributes. (Production licences, not using express install) Create your database environment. If you have an evaluation license and plan to install the simplified, express install, the installation process creates your database environment for you.
On the planned server, create a local or domain Windows user account with the following attributes: Password Never Expires Logon as Service
2 3 4
Add the user to the planned servers local administrators user group. Record the account credentials to use when you install the Afaria server and the Afaria Administrator programs. (Active Directory environment) On the domain controller, update the user account properties (AccountName > Properties > Account > Log On To) to ensure the Log On To list of logon workstations is either unrestricted or includes the planned Afaria Administrator server and all planned Afaria Administrator browser computers. For each additional domain that you plan to authenticate users against for operations, and using the same credentials and attributes as the first account, create a local account on the domains domain controller.
12
Estimate values for the following factors: # of sessions per day Average session size
Apply the factor estimates to the daily formula for estimated growth per day: (# of sessions per day) * (average session size) = Estimated growth per day
Apply the daily estimate to the weekly formula for estimated growth per week: (estimated growth per day) * 7 = Estimated growth per week
For example, to determine the weekly disk space growth for 1000 daily sessions with an average session size of 60 KB: (1000 sessions per day) * (60 KB average session size) * 7 days = 420 MB So in this example, the database is estimated to grow by 420 MB per week. Consider the following items for calculating estimates: Add 1 MB of data per week to the estimate for each Inventory Manager client. Using Inventory Manager to perform client directory scans on Windows clients adds significantly more data to this estimate. Sessions with 100 events add an average of 40 KB in database growth per session in additional log data.
Create a database. Use default configuration settings with the exception of the following attributes: Install jConnect metadata support Disabled. Page size 8192 KB minimum.
2 3
Create a database user for the Afaria service to use for database access. Assign the database administrator (DBA) authority to the user. Connect to the new database using the following network database server properties:
13
Identification Database user name and password that you created for Afaria database access. Database Indicate the Afaria database server name and start line dbsrv11.exe, as well as the database name and file. Do not start the database using start line dbeng11.exe, which is for non-network database servers and does not support enough database connections for the Afaria service. It is strongly recommended that you have only one instance of dbsrv11.exe per database.
In Sybase Central, select the Services tab and run the New Services Wizard. Select service type. Specify the executable. Specify the parameters. -n database name. -x tcpip C:\AfariaDB\afaria.db. This instructs the database server to only run the TCP/IP network driver.
5 6 7 8
Local system account. Select Automatic. Start the server now. Upon completion of the wizard, create a system event to backup and truncate the log. Log size 50 MB is recommended for an initial setting.
14
Create a database with the following attributes: Datafiles Automatically Grow File, Unrestricted Filegrowth. Transaction Log Minimum size 25 MB, Automatically Grow File, Unrestricted Filegrowth.
2 3
Create a role called db_executor with the execute right. For the user you plan to use for Afaria operations with the database, ensure the user has the following attributes for your Afaria database: Default schema dbo Role db_ddladmin Role db_datawriter Role db_datareader Role db_executor Password does not contain the semicolon (;) character
15
Example SQL Script for Creating a SQL User for Afaria Database Operations This example script creates a new role with the execute right for a database named Afaria and assigns the user JBrowne all the required attributes the user needs for Afaria operations.
--For a database named Afaria and a login named JBrowne, create a User named JBrowne and grant the user the appropriate rights.
USE Afaria GO
--Create a new role for executing stored procedures CREATE ROLE db_executor --Grant stored procedure execute rights to the role GRANT EXECUTE TO db_executor GO
--Assign user to dbo and required roles IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'JBrowne') BEGIN CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA = dbo EXEC sp_addrolemember db_ddladmin, JBrowne EXEC sp_addrolemember db_datawriter, JBrowne EXEC sp_addrolemember db_datareader, JBrowne EXEC sp_addrolemember db_executor, JBrowne END;
16
When you install the Afaria server, use the credentials from a user like this one if you choose SQL authentication for the Afaria database. If using Windows integrated authentication instead of SQL authentication, the Windows user requires the same rights and roles.
Right-click the database and select Properties. In the Properties window, click the Options tab. In the Recovery section, click the Model list box and select Simple.
Install the Oracle client on the planned Afaria server. Create a user account on the Oracle Server. Grant the account the following roles and system privileges to the database: Role Connect, Resource System Privileges Create Table, Create Trigger, Create View, Create Sequence, Create Procedure, Unlimited Tablespace.
3 4
Create a Net service to allow the planned Afaria server to communicate with the Oracle Server. Restart the Afaria server.
For more details on configuring the Oracle database, see your Oracle documentation.
17
Afaria Server Upgrade The following steps summarize the procedure for upgrading an Afaria installation that includes a single Afaria server.
1 2 3 4
Stop Afaria services. Upgrade the server. Do not start the Afaria Server service at this time. Upgrade the Afaria Administrator application. Start Afaria Server service.
Afaria Server Farm Upgrade Upgrading a farm environment has additional requirements to complete the upgrade. The following steps summarize the procedure for upgrading an Afaria server farm environment.
1 2 3 4 5 6
Stop Afaria services on all replication servers. Upgrade the main Afaria server. Do not start the Afaria Server service at this time. Upgrade the replication servers. Upgrade the Afaria Administrator application. Start Afaria Server service on main server, then replication servers. Replicate appropriate channels to replication servers.
18
Prior to upgrading, review the role of the Afaria servers Windows client in your environment. Consider the upgrade implementation changes that impact your operations. The Channel Viewer interface for Windows client is supported only on 32-bit environments. The Afaria server is supported on 64- and 32-bit environments. The Windows client is always installed on a new Afaria server without Channel Viewer. You can add Channel Viewer on supported environments by installing a Windows client with the Channel Viewer option from the Afaria Create Client Installation program. If upgrading to a 64-bit server environment, Channel Viewer is removed during the upgrade, as it is not supported in a 64-bit enviroment. If upgrading to a 32-bit server environment, and Channel Viewer was installed prior to upgrading, then Channel Viewer is preserved during the upgrade. The Windows client has a separate installation path than the Afaria server. For Session Manager operations, consider how you are using references and variables: References that use absolute paths may break. Relative paths that use a client path variable, such as <ClientDataDir> are still correct. Relative paths that use a server path variable, such as <ServerInstallDir>\TestHTML may break.
After upgrading, adapt your operations according to the new implementation and your requirements.
19
Upgrade Afaria to the current version. To review your preupgrade iOS policies and assignments report, run the iOS upgrade utility and click View Report. Utility path: <ServerInstallDir>\Bin\iPhoneMobileconfigExport.exe The report identifies the Afaria 6.5 policies assigned to each Afaria 6.5 device definition.
3 4
(Optional) To export former iOS configuration policies for use with the new implementation, run the iOS upgrade utility and click Begin Export. On the Afaria Administrator, import or create new policies. To import policies, on the Administration > Policies and Profiles page, click Import iOS Mobile Configuration File on the toolbar. To create new policies, on the Administration > Policies and Profiles page, right-click Policies and select New > Device Configuration. Add iOS clients to new or existing client groups. Add client types, client groups, and policies to new or existing group profiles. For the group profile or the client group, send an outbound notification to apply policies. The notification causes clients to connect to the iOS provisioning server.
5 6 7
20
Before upgrading, in the Afaria Administrator application, select Server Configuration > Properties > Exchange ActiveSync Policy to review your current default policy and time frame settings. After upgrading, revisit the renamed page by selecting Server Configuration > Properties > Exchange Access Policy to review your upgraded settings. Change any settings as is appropriate for your requirements. See Afaria Reference Manual | Platform > Properties > Exchange Access Policy.
21
Valid certificate requirements Afaria 6.5 allows SSL sessions to run only when the servers certificate is valid, as evaluated against the following criteria: The certificate is signed by a trusted CA or a trusted self-signed CA. The certificate is not expired. The Common Nametypically the fully qualified domain nameon the certificate matches the address that the client used to initiate the session. The certificate is valid for encryption and authentication. The certificate is compliant with x.509 certificate standards. Supported formats: Base64encoded x.509 (.CER) and Personal Information Exchange (.PFX). You can convert a nonencoded x.509 certificate to a Base64-encoded certificate by using a save as or export process in a certificate editor such as the Microsoft Certificates utility (CertMgr.msc). If the product detects an invalid certificate after the upgrade, all SSL connections are terminated until a new, valid certificate is installed. The certificate key is an RSA key.
Certificate password assignment In contrast to previous releases, the upgraded environment requires a password for all certificates. Therefore, to facilitate a working environment after upgrade, the upgrade assigns password password to the certificate. You can use the Server Configuration > Properties > Client Communication > View to view your certificate and change the password to a privately known value.
22
Upgrade server and administrator. Restart services. Modify existing trust task, change action to remove. Add a new trust task into the same policy but after the pre-existing trust task. Define the task with an add action and select any additional rights to enforce. Connect OMA DM clients to deploy updated policy.
23
Define tenants. Define access policies that associate roles with tenants. For each tenant, define assets and connect clients: Define client groups. Define profiles and associated assets that continue your operations according to your requirements. You may continue to use system tenant assets, as shared by the system tenant and available to all tenants, or you can define new, tenant-specific assets. Assign client groups to profiles, as appropriate for your operations. Change client tenant associations from the system tenant to the new tenants. Connect clients.
When clients connect, they automatically pick up their new tenant association and begin using their assigned profiles.
24
Configuration Tenants page introduced by the multitenancy feature introduces a new Tenant role definition item in the Server Configuration role definition tree.
1 2
On the Afaria Administrator application, open the Access Policies page. For each role, open Role Definition > Server Configuration > Tenants and select Create, Modify, or Read, as appropriate for the role.
Perform the upgrade. Create a few tenants. Accumulate some data in each tenant. Run custom views and reports. Custom items produce one of the following results: Error-free results that are filtered by tenant Error-free results that are not filtered by tenant Fatal errors during execution
If custom items result in fatal errors, delete damaged items and re-create them in the new environment, taking the new database design into consideration. Custom items that you create after the upgrade are available to all tenants, rather than only for the originating tenant.
See Afaria Reference Manual | Platform > Data Views to learn more about creating custom views in a multitenant environment.
25
Upgrade specification without backslash terminator: \Temp encrypts only file temp without regard to presence or absence of directory of same name Upgrade specification with backslash terminator: \Temp\ encrypts all files in folder
See Afaria Reference Manual | Components > Data Security Manager for Handheld Clients > Lock Down Options > Path and File Name Data Items to learn defining items for encryption and items for deleting specified data.
26
On the server of interest for a planned installation item, close all running programs. Copy the entire Afaria product image to a local destination. On the root directory of the image, locate the setup.exe file. Open setup.exe to launch the setup program and open the Afaria Setup Menu.
Start the setup program. Click Documentation. Click the item of interest. Readme includes information about finding system requirements and release notes on the technical support site and information about what is located on the product installation image. Installation guide the English version of Installing Afaria. Installing Afaria is available in additional languages by clicking Documentation folder on the documentation menu and navigating the language folders. Documentation folder opens the \Documentation folder on the installation image. All product documentation is available in English. Some documents are available in additional languages.
27
Start the setup program. Click View or Update License Key. Type your license key into the key box. Choose Licensing Details to review your licensing information. The maximum number of concurrent sessions supported per server depends on your licensing. The ability to run the maximum number of licensed concurrent sessions depends upon the amount of memory, the speed, and number of the processors on your server.
4 5
Choose Apply to save the license key and return to the setup menu with your licensed options available. For updating your license key, complete a reinstallation for the server. The reinstallation updates the server as necessary to support the license change.
28
Installs and configures a SQL Anywhere database. Installs an Afaria server and its related server applications with authentication enabled for local users. Installs the Afaria Administrator Web console. If licensed for OMA DM features, installs the OMA DM server. Start the setup program. Click Express Evaluation Install. The program opens the End User License Agreement dialog box. Click Yes or No to indicate your acceptance or rejection. The installation continues only when you accept the agreement. Specify the account name and password to use to run the Afaria service. The Express install includes an evaluation copy of SQL Anywhere. You may need to acknowledge one or more informational dialog boxes that describe the evaluation product.
Click Install.
See also Creating User Accounts for Installing and Operating Afaria on page 12.
29
Start the setup program. On the setup menu, click Install. Click Server. The program opens the End User License Agreement dialog box. Click Yes or No to indicate your acceptance or rejection, and then click Next. The installation continues only when you accept the agreement. Accepting the agreement opens the Welcome dialog.
5 6
See: The Afaria Database on page 12 Creating User Accounts for Installing and Operating Afaria on page 12 Selecting SQL Anywhere Database Options on page 30 Selecting SQL Server Database Options on page 31 Selecting Oracle Database Options on page 31
Select your SQL Anywhere server name from the SA Server Name list. The list populates only with names of SQL Anywhere servers on the same subnet. If you need to locate a SQL Anywhere server outside the subnet, select the Edit Host/Port check box in order to provide the server information. The Host name may be a machine name or IP address.
30
Integrated login. Select this option to integrate your Windows login with your SQL Anywhere login. SA user login. Enter the login information for the database user with DBA authority that you created for your Afaria database.
Click Next to continue. On the SQL Anywhere Server database dialog, type the name of the database you created for Afaria, and then click Next to continue. The Afaria installation program validates the database you specify. If you type the database name incorrectly or type the name of the wrong database, you may see a Request to start/stop database denied error. If you are installing a replication server in a server farm environment, you must select the database for the existing Afaria server.
Select the SQL Server to use with Afaria. Select either Windows Authentication to use a Windows administrator account with SQL Server privileges or SQL Server Authentication to use the SQL Server account with its associated password that you set up for Afaria. Click Next to continue. On the SQL Server Database dialog, select the database you configured for Afaria. If you are installing a replication server in a server farm environment, you must select the database for the existing Afaria server. If you are reinstalling the Afaria server as standalone, you must select a new database.
3 4
Select your Oracle driver and enter the Oracle service name. Enter the credentials for the service: user name and password. Click Next to continue.
31
32
On the Confirm Server dialog, review the information to ensure it is consistent with your intention, and click Next to continue. On the Directory Selection dialog, accept the default location or click Browse to navigate to a new location. On the Service Account dialog, specify the account name and password you created for operating Afaria. In the Server Selection dialog, accept the default name or enter a descriptive name for the Afaria server. Each replication server in a server farm must have a unique name. The server name must not include the backslash (\) character.
If you are installing a main or standalone server, continue with selecting the authentication type. If you are installing a replication server for a farm, continue with completing the installation.
See: Creating User Accounts for Installing and Operating Afaria on page 12 Selecting Authentication Type on page 34 Completing the Installation on page 36
33
In the Type of authentication dialog, select your authentication type. NT domain authentication select NT domain-based and enter the domain you plan to use for authentication. As the administrator, you must also be a member of this domain.
If you do not choose a domain during installation, you can add a domain for authentication on the Server Configuration > Properties > Security page. To allow users to use blank passwords, additional operating system settings are required. Refer to Afaria Reference Manual | Platform > Server Configuration > Properties > Security to learn more about the requirements for allowing blank passwords.
Local authentication select NT domain-based and keep <none> as the domain. LDAP authentication Select LDAP-based.
For NT domain or local authentication, click Next to continue with completing the installation. For LDAP authentication, click Configure LDAP and continue with configuring LDAP information.
See Completing the Installation on page 36 and Configuring LDAP Information on page 34.
In the LDAP Server Login Information dialog, enter login information. Server Address enter your LDAP server address as either a fully qualified domain name such as afaria.mycompany.com or as an IP address. Port Number Afaria automatically defaults to the LDAP standard port 389. If you enter another port number, you must enter a number greater than 1024. Server Type select your LDAP Server type. Use SSL select to enable SSL communication with your LDAP server. SSL Port Number define the LDAP server port for SSL communications. Anonymous Login select Anonymous Login to allow the Afaria server to communicate with the LDAP server without using a dedicated LDAP user account for the server. If using anonymous login, configure your LDAP server to allow a search of the directory structure for users, user groups, and organizational units and all of their attributes. User DN if not using anonymous login, enter the User DN (Distinguished Name) for the LDAP account the Afaria server uses to communicate with the LDAP server. If you dont
34
know the user name for the account, click Search User. You must have an LDAP proxy user configured for an anonymous login to be able to search for users. You can enter a name using a wildcard character to search for the correct User DN. For example, you can enter *mith or *mit* to search for Smith.
2 3
Password enter the password for the LDAP account the Afaria server uses to communicate with the LDAP server.
In the LDAP Root Directory dialog, select a root directory that contains all of the groups, organizational units, and users the server requires for authentication and assignments. In the LDAP User Characteristics dialog, select a characteristic. LDAP Class Name for Users select or enter the LDAP Class Name for Users. User Name Attribute select or enter the user name attribute to use in the LDAP environment. When client users connect to the server, they enter the user ID as the user name you specify.
In the LDAP Container Settings dialog, select a membership basis for assigning channels to users. Support OU membership select to assign channels to users based on their organizational unit (OU). Support OU and group membership select to assign channels to users based on both their OU and groups.
35
On the Ready to Start Installation dialog, click Install. The Setup Complete dialog opens when the installation is complete.
If you receive a message that a file is in use, choose an appropriate action. Abort quits the installation. If you are reinstalling and you abort the installation, you may find that some of the files were updated and some were not, leaving the installation in an undesirable state. Run the install program again to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again. Retry close the application using the file specified, and then select Retry. Setup tries to install the file again. If the installation does not continue, select Ignore. Ignore continues the process but requires you to restart the computer in order to complete the installation.
You may be prompted to restart your computer when the file copying process is completed. After restart, the installation program continues from the point at which it was interrupted.
3
Select whether to start the service at this time. To allow connections immediately, start the service. To continue with additional installations and configuration, do not start the service.
Click Finish.
36
Start the setup program. On the setup menu, click Install. Click Administrator, and click Next to continue. On the Select Virtual Directory dialog, define the virtual directory for Afaria in IIS. If you created a directory, select it from the list. If you have not created a directory, type the name for the directory to create it. The directory appears in the IIS directory under Default Web Site.
On the Select Physical Directory dialog, enter the physical location to install Afaria Administrator files. If you are installing Afaria Administrator on the same server as the Afaria server, install Afaria Administrator in a different directory.
6 7
On the Specify Credentials dialog, specify the account name and password you used for the Afaria server installation. On the Domain Selection dialog, enter the domain for selecting Afaria Administrator users to administer the Afaria server. To limit selection to only local users, keep <none> as the domain. On the Ready To Start Installation dialog, click Install to begin the installation. The Setup Complete dialog box opens at completion.
If you receive a message that a file is in use, choose an appropriate action. Abort quits the installation. If you are reinstalling and you abort the installation, you may find that some of the files were updated and some were not, leaving the installation in an undesirable state. Run the install program again to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again. Retry close the application using the file specified, and then select Retry. Setup tries to install the file again. If the installation does not continue, select Ignore. Ignore continues the process but requires you to restart the computer in order to complete the installation.
You may be prompted to restart your computer when the file copying process is completed. After restart, the installation program continues from the point at which it was interrupted.
10 On the Setup Complete dialog, click Finish to close the installation program.
program to create one for you, then verify the Afaria Administrator IIS settings before operating the Afaria Administrator program.
37
Using Windows IIS Manager, locate the virtual directory created for Afaria Administrator. Right-click the virtual directory and select Properties. Verify the appropriate settings. On the Virtual Directory page verify the installation path for Afaria Administrator, verify that read and write access is enabled. On the Documents page files default.asp and default.aspx appears in the list. On the Directory Security page in the authentication and access area, click Edit. Ensure that anonymous access is disabled and Integrated Windows authentication is enabled.
To test the virtual directory, right-click it again in IIS select Browse. The Afaria Administrator home page should open in your browser.
If you have stopped and restarted IIS at any time before opening Afaria Administrator, ensure that when you restarted IIS that the WWW Publishing Service also started. If it is not started, you can reset IIS, or you can restart it manually. This service must be running in order for you to open Afaria Administrator.
Using Windows IIS Manager, locate Default Web Site. Right-click Default Web Site and select Properties. In the connections area, increase the time out to meet your needs. When you change this value, it impacts all the Default Web Site members. Ensure you have determined an acceptable value for all sites.
38
Click OK.
39
Starting Operations
Starting Operations
To get started with Afaria after completing the installation, complete tasks that prepare for, and validate, basic operations. Product documentation guide Afaria Reference Manual | Platform covers these and other tasks in greater detail.
1 2 3
Log in a first time using the installing user account context. Add your Afaria server to the server list. Add yourself as a user for: Afaria operations (Optional) Afaria access policies
4 5 6
Return to the default page by clicking Exit. Log in a second time using your Windows user account. Start the Afaria server.
See also: Logging in as the Default User on page 40 Adding a Server to the Server List on page 41 Users and Roles in Afaria on page 41 Logging in as an Added User on page 42 Starting/Stopping/Restarting the Afaria Server on page 43
Open Internet Explorer and enter the Afaria Administrator address. Syntax: http://<AfariaAdministratorAddress>/<AfariaAdministratorVirtualDirectory> If your current user context is different from the user context for installing the product, then the Enter Network Password dialog opens. Enter the installing users name, password, and domain and click OK. Domain is not required when logging in to a local machine. The Afaria Administrator server list opens in your browser window without any servers on the list.
40
Starting Operations
The Access Policies link and page is available only to the installing user and users assigned to the Access Administrator role.
1 2
Right-click Servers in the left pane and select Add Server. Type a name, address, and description for the server. The address can be either an IP or DNS address. The description helps Afaria users recognize named servers.
Click Test Server Connection. The test configures the connection, validates the address, and validates whether the server is running.
By default after installation, the only user with access policy rights is the installing user. Add users after adding one or more servers. For basic operations upon which you can build later, add yourself as a user in roles for: Access policies Server operations
41
Starting Operations
On the Access Policies pages left pane, select Access Administrator. On the right pane, click Add. The Available Users list box populates with users from the local computer and from any domains that you included during product installation. Both user groups and individual users are included in the list.
3 4
Select a user or group from the available list and move it to the assigned list. Click OK.
On the Access Policies pages left pane, expand the server you defined and select the Administrators role. On the right pane, click the Users tab and click Add. The Available Users list box populates with users from the local computer and from any domains that you included during product installation. Both user groups and individual users are included in the list.
3 4
Select a user or group from the available list and move it to the assigned list. Click OK.
42
Starting Operations
1 2
From the Afaria default page, click Logon As User. The Connect To dialog opens. Supply your Windows user credentials and click OK. The default page opens with content appropriate for your user role. Your user context displays on the banner.
From the Afaria default page, click the role link that is associated with the server to start. The Server Status page opens. The page includes a dynamic link that changes between Start Server or Stop or Restart Server, depending on the current state of the server.
Click the Start Server or Stop or Restart Server link to open the Current Status dialog. The dialog is dynamic based on the current state of the server and the relevant actions. Click on the appropriate action: Start start a stopped server Stop stop a started server Restart stop then start a started server
43
Starting Operations
Open Internet Explorer and type the address for the Afaria Administrator installation you want to view. Syntax: http://<AfariaAdministratorAddress>/<AfariaAdministratorVirtualDir> A configuration message opens in your browser window, similar to the following example:
2 3
Right-click the Click to configure security link and select Save Target As on the shortcut menu. Save the file to your computer. Open or run the downloaded file to open the Security Configuration Manager dialog box.
4 5 6 7
Type the Afaria Administrator address from the dialog box according to the format http:// <localhost>/<VirtualDirectory> and click OK. Click OK to close the Success message box. Close Internet Explorer. Open the Afaria Administrator shortcut on your desktop. Internet Explorer opens and launches Afaria Administrator. The server list appears. It is populated only with Afaria servers for which you have access rights. For more information, see Adding a Server to the Server List on page 41.
44
Starting Operations
Server Configuration
The Server Configuration features let you to define system-wide parameters. This section briefly covers each link in the Server Configuration area. For more details about server configuration, see the Afaria Reference Manual | Platform > Server Configuration.
Properties > Server use server properties to configure parameters for server information and behavior. These parameters include: Contact provide Channel Viewer users with information regarding the person to contact if they have questions with their client devices or encounter problems during a communication session with the server. Exchange Access Config for the Afaria Access Control for Microsoft Exchange feature, the Exchange Access Config property page lets you define parameters for operating the ISAPI listener on the Afaria server. Failed session cleanup control how the system handles failed communication sessions between clients and the server. License view information about your system, including a list of licensed components and client types, the number of licensed sessions, expiration dates (if any), and a brief description of the license type. Logging policy determine the global logging policy settings. All logs are enabled by default.
45
Starting Operations
Log cleanup specify the cleanup time for the individual logs. OTA Deployment Center establish settings for Afaria client and Afaria server communication with the OTA Deployment Center. SMS Gateway define settings for an Afaria Short Message Service (SMS) gateway. Security configure settings for security measures, including authentication, domain assignments, and client approval. If you are using LDAP for authentication and assignments, you can also enable and configure SSL for LDAP to increase security when you communicate with your Windows clients. SMTP establish SMTP server settings for your Afaria-initiated, SMTP-based communications. User-defined fields create new fields in your database tables related to the A_CLIENTS table and read from/write to these fields using the session worklist variables Set Database Field and Get Database Field used for writing to or reading from the database. Outbound notification control the volume parameters for outbound notification sessions to keep the Afaria server from being overwhelmed with incoming sessions. Relay server define settings for using a relay server for your Afaria operations. The relay server operates as a proxy for HTTP and HTTPS sessions between the Afaria server and its Afaria clients.
Properties > Component configuration use component configuration properties to configure global settings for installed optional components. These parameters include: AV/Firewall define the disposition of new client files or pattern files and identifies the date of the last update. Backup Manager define the physical location for backup storage and define associated log and alert thresholds. Document Manager apply default location settings for your file selections and settings for alternate media sources. Exchange Access Policy define a synchronization policy for your enterprises devices that use Microsoft Exchange ActiveSync to synchronize with your organizations Microsoft Exchange Server. iOS Server define properties for the Afaria iOS provisioning server and the certificate authority (CA) server. OMA DM define the OMA DM server address properties that OMA DM clients need to communicate with the OMA DM server. Patch Manager define the location for storing downloaded patches.
46
Starting Operations
47
Starting Operations
often users run specific applications. This page appears empty until you define software licenses in your database.
48
49
The deployment center is a Web application that is a separate component from the Afaria server and Afaria Administrator. The Afaria Clients it deploys are Afaria Client software packages that you create using the Afaria Create Client Installation program. Afaria supports using the deployment center to deploy client packages to the following Afaria client types: BlackBerry Palm Windows Mobile Professional (including Windows CE) Windows Mobile Standard Symbian Windows These client types are distinguished from other Afaria client types that do not install Afaria Client software, such as iOS clients, or OMA DM clients. Afaria supports setting up the deployment center in the following Web server/OS environments: IIS Web server on a Windows OS Apache Web server on a Windows OS Apache Web server on a Linux OS
The following steps summarize the procedure for setting up an OTA Deployment Center:
1 2 3 4 5
Get prerequisite components from Sybase third-party component site. (Apache on Windows) Install Apache HTTP server component. Install PHP scripting engine component. Install PHP Concept Library Zip component. Install the OTA Deployment Center. (IIS) Install the deployment center by running the OTA Deployment Center setup program.
50
(Apache) Install the deployment center by copying OTA Deployment Center files from the Afaria product image.
Visit the Afaria third-party component dependency reference page, where you can find version information and download instructions for obtaining the required components. Obtain the components required for your Web server/OS environment: (Apache on Windows) Apache HTTP Server, a Web server PHP scripting engine PHPConcepts PclZip
51
Use the Windows installer (.msi) to install the server components. Choose the typical install option, supplying the specific network, server, and administrator email information for your particular server. A typical installation installs the binaries, configuration and data files under the C:\Program Files folder. If your Windows environment has this folder locked, it may be necessary for you to use the custom install option and install to a different location or modify the Apache configuration after the installation is complete. Refer to the Apache documentation for further details.
Secure the Apache server. Although there are many methods for securing the Apache server, a minimum recommendation is that you edit the Apache Configuration File (httpd.conf) to turn off the Indexes option for the directory root in order to prevent browsing. You can also access the file via the Windows Programs menu or you can locate it in the following path: C:\Program Files\Apache Group\Apache2\conf Place a dash (-) in front of the word Indexes from the root directorys configuration. See the last line in the following excerpt from the configuration file.
# # This should be changed to whatever you set DocumentRoot to. # <Directory "C:/Program Files/Apache Group/Apache2/htdocs"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.0/mod/core.html#options # for more information. # Options -Indexes FollowSymLinks
52
Create a new folder named PHP under the following path: C:\Program Files
Extract the contents of the PHP distribution zip file to the new folder.
Ensure that the directory structure contained in the zip file is preserved during extraction.
Edit the Apache configuration file (httpd.conf) to add the following directives. LoadModule directives:
LoadModule php5_module "c:/Program Files/php/php5apache2.dll" PHPIniDir "C:/Program Files/PHP"
AddType directive:
AddType application/x-httpd-php .php
Create a folder named Includes under the following PHP installation folder path: C:\Program Files\PHP
5 6
Create a copy of file php.ini-recommended, from the root of the PHP installation folder, in the same folder. Rename the copy to php.ini.
53
Verify or edit php.ini settings as indicated in the following sample. Many of the required and recommended settings are already set. The convention of bracketed annotations (e.g. [Required]) is introduced only in this sample to provide supplemental information.
[Strongly recommended for security] set/verify register_globals=off [Required] set post_max_size = 32M [Required] set/verify magic_quotes_gpc=off [Suggest, security reasons*] set safe_mode=on Safe_mode_gid=on safe_mode_include_dir="C:\Program Files\PHP\Includes" [Recommended for security] set open_basedir="C:\Program Files\PHP\Includes" [Recommended for security] set file_uploads=off [Recommended for security] set allow_url_fopen=off [Required] set extension_dir="C:\Program Files\PHP\ext" [Required] add extension=php_soap.dll to extensions list [Required] set soap.wsdl_cache_enabled=1
* The setting set safe_mode=on requires additional settings if turned on. Please refer to the PHP documentation (including comments in php.ini) for more details.
54
Extract the contents of the PclZip distribution file into the following path: C:\Program Files\PHP\Includes This creates a new folder named pclzip<version>.
2 3
Rename the folder to pclzip. Open the PHP configuration file (php.ini) located in the following path: C:\Program Files\PHP
Locate the include_path setting that is associated with the Windows path setting. Modify it by removing the leading semi-colon and updating the path value to match your installations PclZip path, as shown in the following excerpt.
;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; ;;;;;;;;;;;;;;;;;;;;;;;;; ; UNIX: "/path1:/path2" ;include_path = ".:/php/includes" ; ; Windows: "\path1;\path2" include_path = ".;C:\Program Files\PHP\Includes\PclZip"
55
From the IIS Web server, locate the setup program on the Afaria product image: <product image>\OTADeploymentCenter\setup.exe
Under the PHP Includes folder (C:\Program Files\PHP\Includes), create the following folders: iAnywhere iAnywhere\OTA iAnywhere\OTA\download iAnywhere\OTA\management \Deployment Center\download\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\download\*.* \Deployment Center\management\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\management\*.* \Deployment Center\scripts\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\*.*
Copy files from the Afaria product image to the new folders as follows:
Modify the include_path setting in the PHP configuration file C:\Program Files\PHP\php.ini to add the location of the deployment center scripts, as shown in the following excerpt.
include_path = ".;C:\Program Files\PHP\Includes\PclZip;C:\Program Files\PHP\Includes\iAnywhere\OTA"
56
Add the following excerpt to the end of the Apache configuration file (httpd.conf). The Apache configuration requires using the forward slash mark / in path statements for proper implementation.
### Afaria OTA Deployment Download and Management script directories # Set "Options -Indexes" and "DirectoryIndex" to allow # operation of script by access to directory only. Alias /Afaria/OTA "C:/Program Files/PHP/Includes/iAnywhere/OTA/download" <Directory "C:/Program Files/PHP/Includes/iAnywhere/OTA/download" > Options -Indexes DirectoryIndex OTADownload.php </Directory> Alias /Afaria/OTAmgmt "C:/Program Files/PHP/Includes/iAnywhere/OTA/management" <Directory "C:/Program Files/PHP/Includes/iAnywhere/OTA/management" > Options -Indexes </Directory>
Deployment Center data files Files that are modified by the system at runtime. Database files Contains information about the set of files published to the deployment center for download. This location is referenced by the deployment center configuration. Deployment files The set of files published for download to devices. This set of files is determined at runtime through the file publication management functions. There are two classifications of these files:
57
Indirectly accessed These files are not directly accessible from the Web server, but are served by the download scripts. This location is referenced by the deployment center configuration. Directly accessed These files are directly accessible from the Web server. They reside in sub-folders under the location of the download script.
Log files These files are written by the system for status, audit and debug logging. This location is referenced by the deployment center configuration.
58
Prepare clients according to type: (Android, Windows Mobile, Symbian clients) Connect clients to the Afaria server to report their Exchange identifying data. (iOS) Use the Data Views > Clients page to add iOS device definitions.
On the Afaria Administrator, use the Server Configuration > Properties > Exchange Access Config page to configure settings for the Afaria ISAPI filter that you will install on the Microsoft Exchange Servers IIS Server. See Afaria Reference Manual | Platform. > Server Configuration > Properties > Exchange Access Config.
On the IIS Server that services your enterprises Microsoft Exchange Server, use the Afaria setup menu > Additional Installations > Access Control for Exchange option to install the Afaria ISAPI filter. Customers who are upgrading can install the filter over the existing filter. The policies defined for known and unknown devices go into effect, and the devices you prepared are identified as known devices.
59
Afaria ISAPI filter when a client connects for a Microsoft ActiveSync request, queries the Afaria PowerShell service to determine whether to allow or block the current clients synchronization request. Afaria PowerShell service receives requests from the ISAPI filter and responds with the connecting clients allow or block synchronization instruction. According to the polling interval, queries the Afaria servers ISAPI filter listener to refresh the client and policy list. Afaria server service starts the Afaria ISAPI filter listener process. Afaria ISAPI filter listener receives requests from the Microsoft PowerShell service to refresh the client and policy list. Upon request, queries the Afaria database to compile a list of known devices and their associated policies and any defined policies for unknown devices.
3 4
60
Microsoft Exchange environment with ISAPI filter on the IIS Server allows or blocks Microsoft ActiveSync requests, as determined by the Afaria ISAPI filter. Afaria server with ISAPI filter listener according to the polling interval, receives requests from the Exchange environment and responds with the most current list of clients and associated synchronization policies.
61
Tenant customer sites Microsoft Exchange environment with ISAPI filter on the IIS Server allows or blocks Microsoft ActiveSync requests, as determined by the Afaria ISAPI filter. According to the polling interval, queries the Afaria environment to refresh the client and policy list. (Optional) Relay server serves as a proxy for communication from tenant sites to hosting site. Hosting site hosts the primary Afaria server components behind the hosting organizations firewall. Afaria server with ISAPI filter listener upon request, responds to requests for a client and policy list from the Exchange environment with the most current list of clients and associated synchronization policies.
2 3 4
62
Install the ISAPI filter on the IIS Server. Set the authentication method for the filter.
Installing the ISAPI Filter on the IIS Server Install the Afaria ISAPI filter on the Exchange Servers IIS Server as part of the Afaria Access Control for Microsoft Exchange feature implementation. Deliver this information to the IIS Server administrator for installation: ISAPI filter folder as provided on the Afaria product image. The folder contains the installation wizard. Choose the 32-bit or 64-bit folder to match the bit state of the IIS Servers operating system. Afaria server address or, if using the relay server as a proxy, the relay server address and farm ID, as configured for the Afaria server. Afaria configuration data, including protocol, port, and host name data, as defined on the Afaria Administrator > Server Configuration > Properties > Exchange Access Config page. On the IIS Server, store the ISAPI filter folder in a temporary directory on the IIS Server's local drive. Open the folder and run the setup executable to open the Afaria ISAPI Filter Setup program wizard. Follow the installation wizard until the installation is complete. The wizard includes these primary pages: Blocking Options defines whether to block or allow synchronization requests that are initiated from sources other than handheld ActiveSync clients.
1 2 3
63
Server Settings address for the Afaria server or, if using the relay server as a proxy, the relay server address and farm ID, as configured for the Afaria server. The farm ID you enter must match the Afaria servers relay server farm ID. The relay server implementation for the ISAPI filter uses the farm ID you enter and appends _IIS to the string. Your relay server configuration file must have corresponding farm IDs defined for the Afaria server and the Afaria servers ISAPI listener.
Specify Credentials specify the account name and password used to run the Afaria service on the Afaria server.
(Optional) To verify the filter properties, open the IIS Server's Default Web Site > Properties > ISAPI Filters tab. Look for filter name XSISAPI.DLL on the list. You can also verify that XSISAPI service is started in the Microsoft Management Console, which corresponds to process XSSrvAny.exe. The filters polling frequency back to the Afaria server is determined by Afaria server configuration settings for Exchange Access Control for the Exchange Servers unknown device policy.
Setting the Authentication Method for the ISAPI Filter Set the authentication method for the ISAPI filter to allow basic authentication for user names and passwords.
1 2
Open the Microsoft IIS Manager utility and navigate to <MicrosoftServerActiveSync> > Properties > Directory Security > Edit (Authentication and access control). Set authentication properties for ISAPI filter operations: Enable anonymous access disable Integrated Windows authentication disable Basic authentication enable
See Microsoft references for information about IIS Web Site authentication methods.
Files Installed With and Used By the ISAPI Filter The installed ISAPI filter adds files and logging to the Exchange Servers IIS Server. Installing the Afaria ISAPI filter adds the following files to your IIS Server: IIS path: <IIS_InstallDir> AfariaISAPIFilterUninstall.ini PipeServer.ps1 HTTPSClient.ps1 InstUtil.dll XSISAPI.dll
64
XSSrvAny.exe
Executable XSSrvAny.exe launches PipeServer.ps1 and HTTPSClient.ps1. In turn, each of these create an event in the Windows Application Event log. The entries indicate the start action and its log file location. Consider this example event log entry: XSISAPI PowerShell HTTPS Client was successfully started. Logfile is C:\Documents and Settings\Default User\Application Data\XSISAPI\XSISAPIHTTPS_Log.txt. The Afaria ISAPI filter operations use and generate the following files on your IIS Server. The path for the files is described in the PiPServer.ps1 and HTTPSClient.ps1 startup Windows Application Event log entries. Devices.xml list of Afaria Exchange access control clients known and managed by Afaria synchronization policies. (Temporary file) NewDevices.xml iOS or Android devices that have connected to the Exchange Server for synchronization and need to send a unique Exchange identifying value to the Afaria server. HTTPS.txt log file for HTTPSClient.ps1 operations. List of connections from IIS Server by the Afaria polling agent, back to the Afaria server to refresh the Devices.xml list. Pipe.txt log file for PipeServer.ps1 operations. List of client synchronization requests indicating synchronization status 1 for allowed or 0 for denied.
65
Start the setup program. On the setup menu, click Additional Installations and Resources > Access SMS Gateway Resources. On the Afaria third-party component dependency reference page, find version information and download instructions for obtaining the Cygwin components.
SMS gateway operations use only some of the components of the Cygwin product. Therefore, the installation steps describe a manual process for installing only the component that the SMS gateway requires, rather than using the Cygwin installation program.
Use a decompression utility to decompress the BZ2 download packages from within the <download folder> folder. For each installation package file with file extension BZ2, the decompression yields one extracted file with file extension tar. Extract the decompressed packages into the same download folder. The file extraction creates the following folders: <download folder>\usr folder contains additional, nested folders. <download folder>\etc folder contents are not used for SMS gateway operations.
Modify the Afaria Server environment to include the required libraries and tools by either 1) including <download folder>\usr\bin in the default system path or by 2) copying the following <download folder>\usr\bin files into the Afaria folder <AfariaInstallation>\bin\SMSGateway: cygcrypto-0.9.8.dll cygiconv-2.dll cygssl-0.9.8.dll cygwin1.dll cygxml2-2.dll cygz.dll The default value for <AfariaInstallation> is C:\Program Files\Afaria.
Using Afaria Administrator, configure the SMS gateway interface to define connectivity between the Afaria Server that is hosting the SMS gateway and the Afaria SMS gateway. See Afaria Reference Manual | Platform > Server Configuration > Server Configuration Properties > SMS Gateway > SMS Gateway Interface.
Using Afaria Administrator, define at least one SMSC Server Configuration entity. See Afaria Reference Manual | Platform > Server Configuration > Server Configuration Properties > SMS Gateway > SMS Server Configuration.
66
67
Start the setup program. On the setup menu, click Additional Installations and Resources > iOS Installations > iOS Provisioning Server. On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server. The provisioning server uses these credentials to contact the Afaria server for database credentials.
On the Specify Virtual Directory Names page, define these settings: Unauthorized virtual directory name user-defined name, populated with a default value. This is the first directory on the provisioning server to which clients connect. Authorized virtual directory name user-defined name, populated with a default value. This is the directory on the provisioning server that clients connect to after they are authenticated to complete the payload provisioning process.
On the Specify Server Address page, define the address for the Afaria server. The Afaria iOS provisioning server uses this address to reach the Afaria server.
6 7
On the Specify Certificates for Signing page, unselect Sign Messages to disable the feature; it is not part of the basic iOS basic implementation. Follow the setup wizard to completion. The iOS provisioning server installation is now complete. The installation process also populates the iOS Server configuration page with corresponding values.
(Upgrade) If you installed the iOS provisioning server on a server other than the Afaria Administrator server, some files and services from the original iOS provisioning server are now abandoned on the Afaria Administrator server. On the Afaria Administrator server, disable unwanted services from running by opening the Microsoft Component Services utility, and then stopping and disabling service AfariaIPhoneServer.
68
On the CA server, add the Active Directory Certificate Services role with these attributes: Role services Certification Authority Certificate Authority Web Enrollment, including the related Web Server IIS role services Network Device Enrollment Service
Setup type Enterprise CA type Root CA Private key create a new private key Cryptography Cryptographic key provider RSA Microsoft Software Key Storage Provider Key character length 2048 Hash algorithm SHA1
2 3
CA name common name and suffix are user-defined; record the common name for subsequent Afaria server property configuration Validity period user-defined Certificate database user-defined
Add the Web Server IIS role with at least the default role services. Add the Network Device Enrollment Service with these attributes: User account specify a user account that is also a member of the domain and the local IIS_IUSRS group Registration Authority (RA) information user-defined; do not use any special characters Cryptography
69
Signature key cryptography service provider (CSP) Microsoft Strong Cryptographic Provider Key character length 2048 Encryption key CSP Microsoft Strong Cryptographic Provider Key character length 2048
(Windows Server 2008) After adding the required roles, disable per-certificate password prompts for connecting devices by updating the CA's SCEP password registry key: Key HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword Type DWORD Value change from 1 to 0
Verify that the CA has the Microsoft SCEP configured with password prompting disabled. Verify this requirement by using a Web browser or the CA servers IIS Manager to open the SCEP enrollment page. If using IIS Manager, the path is Default Web Site > CertSrv > mscep > right-click Browse. Successful verification displays a certificate thumbprint. Failed verification displays a temporary password.
70
Implement optional functionality as your requirements dictate. See also: Adding Payload Signing to the Basic iOS Implementation on page 72 Installing the Afaria SCEP Plug-In Module on the CA on page 75 Configuring Secure iOS Connections on page 76 Configuring the Relay Server for iOS Connections on page 77
71
Obtain a root certificate from a known certificate authority or export it from your own CA server. Obtain a signing certificate from the same CA source as your root CA. Copy both certificates to a location accessible from the iOS provisioning server. Reinstall the iOS provisioning server to enable signing and specify certificate information. Use the Afaria Administrator application to open Server Configuration > Properties > iOS Server page to configure the settings for your signing implementation. See Afaria Reference Manual | Platform > Properties > iOS Server.
6 7
Restart the Afaria server. Provision one or more test devices and observe the user interface to determine whether the certificate is untrusted or trusted. The expected result, after a possible user authentication prompt, is either: Signed, but untrusted the Apple Profile Service dialog is exposed to the user and indicates status Not Verified. Signed and trusted the Apple Profile Service dialog is exposed to the user and indicates status Verified.
If untrusted and you require trust, deploy a root certificate to the client that matches the root certificate that the provisioning server is using and retry the provisioning.
72
certificate from a known certificate authority (CA) or if you operate as a self-signing entity and create your own signing certificate. The IPSec signing certificate must meet these property requirements: Subject define the subject name as type common name. General define the common name CN and record the value for future use. Extensions add all available options for key usage and extended key (also known as application policies) usage. Private key select key size 1024 and make the private key exportable. The key type is allowed for exchanges.
On your Windows CA server, open the Microsoft Management Console. Use the Add/Remove snap-in feature to add the Certificates snap-in to manage certificates for a computer account. From the Console Root pane, navigate the Certificates node > Trusted Root > Certificates to display the certificate list. Select the root certificate for your CA server and launch the Certificate Export wizard. Complete the wizard, meeting this requirement: Certificate format Distinguished Encoding Rules (DER) encoded binary X.509 (.cer)
On your Windows CA server, open the Microsoft Management Console. Use the Add/Remove snap-in feature to add the Certificates snap-in to manage certificates for a computer account. From the Console Root pane, navigate the Certificates node > Personal > Certificates to display the certificate list. Launch the task for requesting a new certificate. Define the certificate properties to meet the Afaria iOS signing certificate requirements.
73
On your Windows CA server, open the Microsoft Management Console. Use the Add/Remove snap-in feature to add the Certificates snap-in to manage certificates for a computer account. From the Console Root pane, navigate the Certificates node > Personal > Certificates to display the certificate list. Select the signing certificate you created for iOS provisioning and launch the Certificate Export wizard. Complete the wizard, meeting these requirements: Certificate format Personal Information Exchange PKCS #12 (.pfx) Certificate inclusion include all certificates in the certification path
On the iOS provisioning server, close all running programs. On the setup menu, click Additional Installations and Resources > iOS Installations > iOS Provisioning Server. On the Specify Credentials page, Specify Virtual Directory Names, and Specify Server Address pages, accept the values you previously defined for the basic implementation. On the Specify Certificates for Signing page, select Sign Messages to enable the feature and define the signing attributes: CA Certificate Filename the path and file name for the root certificate. Signing Certificate Filename the path and file name for the signing certificate. Signing Certificate Password enter and confirm the password associated with signing certificate.
Follow the setup wizard to completion. The iOS provisioning server installation is now complete. Data is validated at the conclusion of the setup program as the process attempts to install the certificate. If you encounter errors at this point, retry the installation.
74
On the CA server, start the setup program. On the setup menu, click Additional Installations and Resources > iOS Installations > Install Afaria SCEP Plug-In Module. On the setup program, enter database type and credentials. On the setup program, choose an installation path and install the Afaria SCEP policy module. On the CA, open Active Directory Certificate Services (ADCS). On your CA node, select the Properties and the Policy Module tab, then select XSSCEPPolicyModule.dll. Restart ADCS. (Optional, recommended) Power off, and then on, the CA server. Due to a known issue reported for the Microsoft CA restart ADCS operations, Sybase recommends turning the power off, and then on, to correctly enable the Afaria SCEP module. After startup, the CA issues certificates only to the devices that are defined in the Afaria database.
75
On either the Afaria iOS provisioning server or the CA server, use the IIS Certificate wizard to import a certificate and associate it with the port that clients use for a connection. Use the IIS Manager utility to enable SSL for the appropriate Web sites virtual directory. For the provisioning server, the directory designated for unauthorized connections is the appropriate directory.
On the Afaria Administrator server, use the Afaria Administrator application to open Server Configuration > Properties > iOS Server page to configure the settings to use HTTPS on connections.
See Afaria Reference Manual | Platform > Properties > iOS Server.
76
Set up the relay server, including: Preparing the foundation for relay server operations by copying files and creating application pools. Edit the relay server configuration file [options] and [relay_server] sections for basic operations. Edit the relay server configuration file [backend_farm] and [backend_server] sections for the component server of interest, either the CA server or the provisioning server.
On the Afaria Administrator server, use the Afaria Administrator application Server Configuration > Properties > iOS Server page to configure the Afaria servers settings for using the relay server. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server > Provisioning Server, Certificate Authority, and Relay Server for complete instructions.
For each component server, copy an instance of the relay server outbound enabler (RSOE) to launch for relay server operations. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server > Configuring the Relay Server for iOS Components for complete instructions.
77
Start the setup program. On the setup menu, click Additional Installations and Resources > Install OMA DM Server. On the Welcome window, click Next. On the Directory Selection window, select the installation path, server ID, and virtual directory. Click Install. The wait time for installation may be lengthy; possibly in excess of 10 minutes.
See also: Afaria Reference Manual | Platform > Properties > OMA DM Server Afaria Reference Manual | Platform > Creating Clients > OMA DM Clients
78
Set up an optional relay server to increase your enterprise network security. A relay server operates as a proxy for HTTP and HTTPS sessions between the Afaria server, or one of its supported server components, and its clients. Using a relay server increases network security by moving the session connection point from within your firewall to a location outside of your firewall, to your Demilitarized Zone (DMZ). Afaria supports using the relay server with any of the following Afaria server components: Afaria server OMA DM server Provisioning server for iOS features Certificate Authority server for iOS features
The following steps summarize the procedure for installing and configuring a relay server on an IIS Server:
1 2 3 4 5 6 7
Register the IIS user account on the planned relay server with ASP.NET. Copy relay server files from the Afaria product image to your planned relay server. Create IIS application pools on the relay server. Update the relay servers IIS configuration. Create a relay server configuration file to reside on the relay server. Update your Afaria configuration settings to begin using the relay server. Make your first connection to the relay server.
Use your Microsoft IIS Server documentation as a reference for additional IIS procedures.
79
Navigate to the relay server command path: C:\Windows\Microsoft.Net\Framework\<Version> If you are operating your IIS Server with more than one version of ASP.Net, choose the version that you are using to run your Web site.
Execute the ASP.NET registration command on the relay server with the grant access option: Command: aspnet_regiis.exe -ga IUSR_<MachineName> The command is an example of the registration command with the grant access option that is valid for ASP.Net 2.0.5. The command for your version of ASP.Net may differ.
Refer to your Microsoft IIS Server and ASP.NET product documentation for more information about the IIS user and group and using the registration command.
Locate the files on the Afaria product image: Copy folder: <product image>\relay_server\ias_relay_server
Copy folder ias_relay_server from the product image to the IIS Servers home directory (e.g. C:\Inetpub\wwwroot). Ensure that you copy the folder, rather than just the files in the folder.
Create a server application pool and associated application directory. Create a client application pool and associated application directory. Add Afaria Web service extensions to the IIS Server.
Refer to your Microsoft IIS Server documentation for additional IIS information.
80
Create an application pool with a user-defined Pool ID. Assign the pool the following properties: Recycling > Recycle worker processes (minutes) Disabled Performance > Idle timeout Disabled Performance > Request queue limit Disabled Performance > Web garden A minimum of twice the number of servers making requests Health > Enable pinging Disabled Health > Enable rapid-fail protection Disabled
3 4
Select Web Sites in the IIS Managers left pane and navigate to Default Web Site > ias_relay_server > Server > right-click Properties > Directory. Create an application directory with the following attributes: Execute permissions Scripts and executables Application pool Use the Pool ID that you created for the application pool
Create an application pool with a user-defined Pool ID. Assign the pool the following properties: Recycling > Recycle worker processes (minutes) Disabled Performance > Idle timeout Disabled Performance > Request queue limit Disabled Performance > Web garden At least twice the number of servers making requests, but no less than 5 You may want to increase the value if client connections are frequently dropped or if clients experience bad throughput during sessions. Health > Enable pinging Disabled Health > Enable rapid-fail protection Disabled
3 4
Select Web Sites in the IIS Managers left pane and navigate to Default Web Site > ias_relay_server > Client > right-click Properties > Directory. Create an application directory with the following attributes: Execute permissions Scripts and executables
81
Application pool Use the Pool ID that you created for the application pool
In the IIS Managers left pane, select Web Service Extensions. Add the Afaria Server Web service as a valid extension with the following attributes: Extension name User-defined name for the server extension Required files ias_relay_server\server\rs_server.dll Set extension status to Allowed Enabled Extension name User-defined name for the client extension Required files ias_relay_server\client\rs_client.dll Set extension status to Allowed Enabled
Add the Afaria Client Web service as a valid extension with the following attributes:
Run the script to set the UploadReadAheadSize property. Script command: cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 0 The command returns the current value of the uploadreadaheadsize variable.
82
Using a text editor, edit the configuration files [options] and [relay_server] sections for the relay servers basic operations.
The configuration file must contain only ASCII characters.
For each server component that you want relay server to support, edit or create sections [backend_farm] and [backend_server] with settings for your environment, according to the configuration file definitions. Start the relay server.
See also: Configuration File Definitions for Basic Operations on page 85 Configuration File Definitions to Support Server Components on page 86 Starting and Restarting the Relay Server on page 90
83
#------------------------------------# Relay server #------------------------------------[options] start = auto verbosity = 1 # Note: When auto start is used, the default log file is # <tmpdir>\ias_relay_server_host.log while rshost is active. # The value of <tmpdir> is filled using the following environment variables # searched in this order: # SATMP # TMP # TMPDIR # TEMP #-------------------# Relay server #-------------------[relay_server] enable = yes host = 123.45.6.78 http_port = 80 https_port = 443 description = Machine #1 in RS farm
1. The actual file is a single, continuous file. The file is represented here in two parts for the sake of page formatting.
84
#--------------# Backend farms # # Notice that the case sensitive farmID must match the farmID set in the Afaria Administrator's # relay server configuration page. Default value in Afaria is farmID=Afaria. #--------------[backend_farm] enable = yes id = farmID description = Afaria Farm #----------------# Backend servers # # id must match regKey HKLM\Software\Afaria\Afaria\Server\TransmitterId # on your afaria server #----------------[backend_server] enable = yes farm = farmID id = sc token = zyyxpj22p
85
1 Session-level logging 2 Request-level logging 3 Packet-level logging, terse 4 Packet-level logging, verbose 5 Transport-level logging
Section: [relay_server] Identifies your relay server and its respective ports for HTTP and HTTPS communications. The relay servers ports must match IIS Servers ports. enable Controls whether the relay server operates. yes Operate. no Do not operate.
host Relay servers own IP address or host name. http_port Set value to match the relay servers IIS setting for HTTP communications. https_port Set value to match the relay servers IIS setting for SSL communications. description User-defined description.
Section: [backend_farm] Creates a single, case-sensitive identifier for a component server environment, regardless of whether you are operating a single component server or a farm of component servers. enable Controls whether the farm operates. yes Operate.
86
no Do not operate.
id User-defined, case-sensitive value for identifying a server farm. Each farm in the relay server configuration file must have a unique ID. description User-defined description. client_security Specifies the secure communication protocol requirement for clients connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value. on HTTPS is required. off Default. HTTPS is not required; HTTP and HTTPS are both valid connection protocol.
backend_security Specifies the secure communication protocol requirement for component servers connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value. on HTTPS is required. off Default. HTTPS is not required; HTTP and HTTPS are both valid connection protocol.
Section: [backend_server] Identifies a single component server to the relay server. You must have one [backend_server] section for each component server in your component server environment. enable Controls whether the server operates. yes Operate. no Do not operate.
Farm The case-sensitive farm value is the same for each server. Use the same farm ID as from section [backend_farm]. ID The ID value is unique for each server in the farm. If a server hosts more than one supported server component, then all server IDs on the host must be unique. For example, if a server hosts both an Afaria server and an OMA DM server, and both are defined in separate farms in the relay server configuration file, then the server IDs used for the two server components must be must be different.
Token The token is any string that you create. Use the same token value for each server in a farm.
Configuration for Afaria Server Defining the relay server configuration file to support an Afaria environment requires that you define some matching values in both the configuration file and the Afaria environment. Consider
87
the following items when defining the relay server configuration file [backend_farm] and [backend_server] sections. Section: [backend_farm] id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the farm ID you define on the Afaria Administrator > Server Configuration > Properties > Relay Server page. On the Relay Server page, the default value is afaria. Section: [backend_server] ID Define the server ID value to match the TransmitterID value defined in each Afaria servers registry key HKLM\Software\Afaria\Afaria\Server\TransmitterId. Token Farm token you define must match the farm token you define on the Afaria Administrator > Server Configuration > Properties > Relay Server page.
Configuration for OMA DM Server Defining the relay server configuration file to support one or more OMA DM servers requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the Farm ID you define on the Afaria Administrator > Server Configuration > Properties > OMA DM Server page.
Configuration for Access Control for Exchange Features ISAPI Filter Defining the relay server configuration file to support one or more ISAPI filters requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id Syntax is <AfariaServerFarmID>-IS, where AfariaServerFarmID is the same farm ID you define for the Afaria server in the relay server configuration file, and -IS is a suffix. For example, if you define your Afaria server farm ID as Afariafarm, then define your ISAPI filters farm ID as Afariafarm-IS to match.
Configuration for iOS Provisioning Server Defining the relay server configuration file to support one or more iOS Provisioning servers requires that you define some matching values in both the configuration file and the Afaria
88
environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the RS Farm ID for PS you define on the Afaria Administrator > Server Configuration > Properties > iOS Server page.
Configuration for iOS Certificate Authority Server Defining the relay server configuration file to support one or more iOS Certificate Authority servers requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the RS Farm ID for CA you define on the Afaria Administrator > Server Configuration > Properties > iOS Server page.
Afaria server farm with four servers In an environment that includes a single relay server supporting an Afaria server farm with four servers, the configuration file includes the following sections: [options] one instance [relay_server] one instance [backend_farm] one instance [backend_server] four instances
89
Single Afaria server plus an Afaria server farm with four servers In an environment that includes a single relay server supporting a single Afaria server and an Afaria server farm with four servers, the configuration file includes the following sections: [options] one instance [relay_server] one instance [backend_farm] two instances [backend_server] five instances
On a command line, use DOS command Change Directory to navigate to the Afaria Server Web service extensions folder, typically IIS path inetpub\wwwroot\ias_relay_server\server: CD <WebServiceFolder>
You may want to create a batch file for the commands and store it in a convenient location in your relay server environment. See Configuration File Definitions for Basic Operations on page 85.
90
Upgrade the Afaria server. Connect clients to the server to receive a client update. Begin relay server operations. Configure clients for relay server operation using one of the following methods: New client installations Create new client installation packages with relay server information as the seed data. Install and connect new clients. Update client configuration Update client configuration settings with relay server information. Connect clients.
Configure the relay server information on your upgraded Afaria server. Create a new client package with relay server seed data. Install the client on test device. Use Session Manager to extract the values for the clients relay server data registry keys HKLM\Software\Afaria\Afaria\Client\Config RSFarmID and RSInfo. Use Session Manager to update the client configuration data for upgraded devices that need the relay server data.
91
Follow the installation that match the features and clients for which you are licensed. If you are licensed for all the enhancements, then follow a combination of the installations.
Installing FP1 for Afaria Access Control for Microsoft Exchange If you are licensed for Windows Mobile, Symbian, iOS, or Android, install the access control update.
1
(iOS) Before upgrading, in the Afaria Administrator application, select Server Configuration > Properties > Exchange Access Policy to review your current default policy and time frame settings. Stop Afaria services on your server or farm. On your Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key. On your Afaria server, starting with your master server if you have a farm, run the FP1 server setup program. On the Afaria Administrator server, run the FP1 administrator setup program. Start Afaria services on your server or farm. Revisit Server Configuration > Properties > Exchange Access Policy page to review your upgraded iOS settings and new policy options. Change any settings as is appropriate for your requirements. Prepare clients according to type. (iOS) Use Data Views > Clients to change the access control policy for any iOS devices as is appropriate for your requirements. (Android, Symbian, Windows Mobile) Connect clients to the Afaria server to report their Exchange identifying data.
2 3
4 5 6 7
92
On the IIS server that services your enterprises Microsoft Exchange Server, install the Afaria ISAPI filter. Customers who are upgrading can install the filter over the existing filter. The policies defined for known and unknown devices go into effect, and the devices you prepared are identified as known devices.
Installing FP1 for iOS Management If you are licensed for iOS clients, install the iOS Mobile Device Management (MDM) management update. iOS MDM management requires that you obtain an Apple iOS Developer Program enterprise certificate (.p12) with push notification privileges, an Apple Worldwide Developer Relations Certification (WWDR) intermediate certificate (.cer), and an Apple root certificate (.cer), as licensed to your enterprise by Apple.
1
On the Afaria server, using either the Microsoft Management Console with the Certificates snap in for the local computer, or the Afaria Install Apple Push Certificate utility (<ServerInstallationDirectory>\Bin\InstallPushCert.exe), install the Apple certificates in the appropriate certificate stores. Apple root certificate trusted root store Apple Worldwide Developer Relations Certification (WWDR) intermediate certificate trusted root store Apple iOS Developer Program enterprise certificate personal store If using the Afaria utility, and the iOS provisioning server is installed on the same server, and you want to enable the possibility of signing iOS provisioning payloads with your Apple enterprise certificate, select Modify ACL to modify the Windows Access Control List to grant read-only privileges to iOS components that require it.
2 3
Stop Afaria services on your server or farm. On the Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key. On the Afaria server, starting with the master server if you have a farm, run the FP1 server setup program. On the Afaria Administrator server, run the FP1 administrator setup program. On the Afaria iOS provisioning server, run the FP1 provisioning server setup program. Start Afaria services on the server or farm. In the Afaria Administrator application, select Server Configuration > Properties > iOS Notification page to add your Apple iOS Developer Program certificate. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server.
4 5 6 7 8
In the Afaria Administrator application, select Server Configuration > Properties > iOS Server page to verify or modify the addresses for using the Apple Push Notification Service
93
for notifications and feedback services, as provided by Apple as part of the iOS Developer Program. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Notification.
10 Restart the Afaria server. 11 In the Afaria Administrator application, select Data Views > Clients, right-click an iOS client
and select Outbound notification > Provision device to force a device to connect and receive a management policy. The device user must allow the policy to install to begin MDM management. Verify management status by reviewing the new client inventory data added as a result of MDM management.
Installing FP1 for Application Management If you are licensed for iOS or Android clients, install the application management update. For more robust iOS application management, install FP1 for iOS management prior to installing FP1 for application management.
1
If you created any portal application packages in Afaria 6.6 before installing FP1, open the Afaria Administrator application and select Administration > Policies and Profiles page and delete any packages you created. Packages created prior to installing FP1 are rendered invalid when you install FP1.
2 3
Stop Afaria services on your server or farm. On your Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key. On your Afaria server, starting with your master server if you have a farm, run the FP1 server setup program. On the Afaria Administrator server, run the FP1 administrator setup program. On your planned portal server, run the FP1 portal package server setup program, recording the servers virtual directory and address. Start Afaria services on your server or farm. In the Afaria Administrator application, select Server Configuration > Properties > Portal Package Server page to verify the portal package servers virtual directory and address. See Afaria Reference Manual | Platform > Server Configuration > Properties > Portal Package Server.
4 5 6 7 8
94
See also: Afaria Reference Manual | Platform > Administration > Portal Packages > Managing Packages. Afaria Reference Manual | Platform > Administration > Portal Packages > Package Category Application.
On the planned portal package server, close all running programs. You can install the portal package server on the same server as the Afaria Administrator server or on a separate server.
2 3 4
Locate the Afaria portal package server setup file (.exe), distributed with the feature pack. On the Directory Selection page, accept the default location or click Browse to navigate to a new location. On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server. The provisioning server uses these credentials to contact the Afaria server for database credentials.
On the Specify Virtual Directory Name page, define these settings: Virtual directory name user-defined name, populated with a default value. Use Windows Authentication select to use Windows Integrated Authentication for client connections. If selected, users are prompted for credentials when they use the package features on their device.
On the Specify Server Address page, define the address for the Afaria server. The portal package server uses this address to reach the Afaria server.
Follow the setup wizard to completion. The portal package server installation is now complete. The installation process also populates the Portal Package Server configuration page with corresponding values.
95
On the device, deactivate the privilege associated with the Afaria application (Settings > Location and Security > Device Administrators). Uninstall the Afaria agent. Navigate to the Android Market and install the Afaria Client application (Afaria agent).
96
This wizard guides you through creating an Afaria agent installation package. Based on client type and your environment, you can choose different options that allow you to deploy the agent via a companion PC, a network, or the OTA Deployment Center.
97
Close all Afaria programs. Using a command line, run the setup program (setup) with parameters to change the service account or password. The setup program accepts parameters in any order. Available command-line parameters: -Maintenance required for all commands -ServiceAccount=name required if changing the user account and password associated with the Afaria server service -ServicePassword=password required if changing the user account and password associated with the Afaria server service -DatabasePassword=password required if changing the database user account password
Allow program to run to completion. The Afaria setup program runs silently. It may take several minutes to complete. You may not know when it has finished unless you watch the task list or run the setup from a batch file. To check for errors, see C:\silent.log.
Afaria Server Command-Line Password Update Syntax Examples The Afaria command-line setup program accepts parameters in any order. Examples: setup -Maintenance -DatabasePassword=password setup -Maintenance -ServiceAccount=name -ServicePassword=password setup -Maintenance -DatabasePassword=password -ServicePassword=password2
98
Close all Afaria programs. Stop all Afaria-related services. Using the Microsoft Add/Remove Programs utility, select the component and remove it. The most common reasons for the step to fail are: An Afaria program or related service is still running. Stop the programs and related services and retry the step. Windows Explorer or some other program is using at the Afaria installation directory. Close all programs, then restart the machine and retry the step. Afaria system folders are shared with client users. Remove the share from the folder and run the retry the step.
If removing a replication server from a server farm environment, delete the servers entry from the farms A_SERVER database table. If you do not delete this server from the database, it continues to appear in the channel replication window in Afaria Administrator as an available server, even though it is no longer an eligible target for replication.
99