Installing Afaria

Installing Afaria 6.
6 FP1
Afaria helps you manage all the pieces of your mobile infrastructure, including desktop and laptop computers, and your mobile devices. From a central location, you can keep devices secure, deploy applications, check inventory and provide automatic updates to your frontline workers. This guide provides overviews and step-by-step information about how to install, configure, and begin using the Afaria Server, Afaria Administrator and related applications.
Installing Afaria 6.6 FP1 Document version 6.60.01 Copyright 2010 Sybase, Inc. All rights reserved. This publication pertains to Sybase software and to any subsequent release until otherwise indicated in new editions or technical notes. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be used or copied only in accordance with the terms of that agreement. To order additional documents, U.S. and Canadian customers should call Customer Fulfillment at (800) 685-8225, fax (617) 229-9845. Customers in other countries with a U.S. license agreement may contact Customer Fulfillment via the above fax number. All other international customers should contact their Sybase subsidiary or local distributor. Upgrades are provided only at regularly scheduled software release dates. No part of this publication may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without the prior written permission of Sybase, Inc. Sybase trademarks can be viewed at the Sybase trademarks page at http://www.sybase.com/detail?id=1011207. Sybase and the marks listed are trademarks of Sybase, Inc. A indicates registration in the United States of America. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. All other company and product names used herein may be trademarks or registered trademarks of the respective companies with which they are associated. Use, duplication, or disclosure by the government is subject to the restrictions set forth in subparagraph (c)(1)(ii) of DFARS 52.227-7013 for the DOD and as set forth in FAR 52.227-19(a)-(d) for civilian agencies. Sybase, Inc., One Sybase Drive, Dublin, CA 94568
Installing Afaria 6.6 FP1
Contents
Afaria Installation and Maintenance............................................................................ 6 Revisions for Document Update Version 6.60.01 ....................................................... 6 Afaria Support Services........................................................................................ 6 Sybase Social Media Channels............................................................................ 6 Afaria Architecture ...................................................................................................... 7 Afaria Server ........................................................................................................ 8 Afaria Administrator.............................................................................................. 8 System Requirements and Release Notes ................................................................. 9 Installing Afaria ......................................................................................................... 10 Installing a Simplified Environment .................................................................... 10 Installing a Standard Environment ..................................................................... 11 Reinstallation...................................................................................................... 11 Upgrade.............................................................................................................. 11 Preparing to Install Afaria.......................................................................................... 12 Creating User Accounts for Installing and Operating Afaria............................... 12 The Afaria Database .......................................................................................... 12 Preparing for Upgrading the Platform ....................................................................... 18 Preparing for Discontinued Server/Client Operations ........................................ 19 Preparing for Continued iOS Device Management ............................................ 20 Preparing for Continued Exchange Access Control Operations ........................ 21 Preparing for Continued SSL Communications.................................................. 22 Preparing for Continued OMA DM Operations................................................... 23 Preparation for Upgrading to the Multitenancy Environment.............................. 24 Preparing for Upgrading Clients................................................................................ 26 Data Security Manager Clients that use Encryption........................................... 26 Clients in the Multitenancy Environment ............................................................ 26 Starting the Afaria 6.6 Setup Program ...................................................................... 27 Locating Product Documentation.............................................................................. 27 Entering or Updating Your License Key.................................................................... 28 Installing an Express Install ...................................................................................... 29 Installing Afaria Server 6.6........................................................................................ 30 Starting the Server Setup Program .................................................................... 30 Selecting Server Options.................................................................................... 33 Selecting Authentication Type............................................................................ 34 Completing the Installation ................................................................................. 36 Installing Afaria Administrator ................................................................................... 37 Verifying Afaria Administrator IIS Settings ......................................................... 38 Changing the IIS Connection Timeout Value ..................................................... 38 Starting Operations ................................................................................................... 40
3
Logging in as the Default User ........................................................................... Adding a Server to the Server List ..................................................................... Users and Roles in Afaria................................................................................... Logging in as an Added User ............................................................................. Starting/Stopping/Restarting the Afaria Server .................................................. Accessing Afaria Administrator from a Remote Location ................................... Server Configuration .......................................................................................... Additional Installation and Resource Items............................................................... Setting Up the OTA Deployment Center................................................................... Getting Prerequisite Components ...................................................................... Installing Apache HTTP Server .......................................................................... Installing PHP Scripting Engine.......................................................................... Installing PHPConcepts PclZip........................................................................... Installing the Deployment Center for an IIS Web Server.................................... Installing the Deployment Center for an Apache Web Server ............................ Deployment Center File Types........................................................................... Deployment Center File Locations ..................................................................... Setting Up Access Control for Microsoft Exchange .................................................. Afaria Access Control for Microsoft Exchange Architecture ............................... Installing the Afaria ISAPI Filter.......................................................................... Setting Up the SMS Gateway ................................................................................... SMS Gateway Third-Party Dependencies.......................................................... Setting Up iOS Features ........................................................................................... Installing the iOS Provisioning Server (Basic) .................................................... Configuring the Certificate Authority................................................................... Optional iOS Implementation Features .............................................................. Adding Payload Signing to the Basic iOS Implementation................................. Reinstalling Afaria iOS Provisioning Server for Signing ..................................... Installing the Afaria SCEP Plug-In Module on the CA........................................ Configuring Secure iOS Connections................................................................. Configuring the Relay Server for iOS Connections ............................................ Setting Up OMA DM Features .................................................................................. Setting Up the Relay Server ..................................................................................... Registering the IIS User Account with ASP.NET ............................................... Copying Relay Server Files................................................................................ Creating IIS Application Pools............................................................................ Updating the Relay Servers IIS Configuration................................................... Editing the Relay Server Configuration .............................................................. Starting and Restarting the Relay Server........................................................... Documentation Resources for Updating Afaria Configuration............................ Planning for Adding a Relay Server to Your Afaria Environment .......................
4
40 41 41 42 43 44 45 49 50 51 52 53 55 56 56 57 58 59 60 63 66 67 68 68 69 71 72 74 75 76 77 78 79 79 80 80 82 82 90 90 91
Configuring Upgraded Clients with Relay Server Data ...................................... Relay Server Bypass.......................................................................................... Installing Afaria 6.6 Feature Pack 1 .......................................................................... Installing the Portal Package Server .................................................................. Upgrading Android Clients from 6.6 to 6.6 FP1.................................................. Create Client Installation Wizard............................................................................... Updating Passwords and Accounts on the Afaria Server ......................................... Removing Afaria Components ..................................................................................
91 91 92 95 96 97 98 99
Afaria Installation and Maintenance
Afaria Installation and Maintenance

Afaria installation and maintenance requires that you have proficient knowledge of the Windows operating system, Microsoft IIS, Microsoft Internet Explorer, your database server, your user directory manager, and the device types you plan to support. Start the Afaria setup program, choose the Documentation option, and then navigate the documentation folder and use document Installing Afaria for installation guidance and instructions.
Revisions for Document Update Version 6.60.01

This guide is updated to include content for installing Afaria 6.6 Feature Pack 1. See Installing Afaria 6.6 Feature Pack 1 on page 92.
Afaria Support Services

Sybase provides industry-leading support and a variety of downloads to help you get the most out of your Sybase products and solutions. For more information about Sybase Customer Service and Support, you can visit www.sybase.com/support. If you have a technical support contract, you can locate your local technical support center at www.sybase.com/contactus/support.
Sybase Social Media Channels

Visit us online for our social media channels at www.sybase.com/resources/socialmedia.
Afaria Architecture
Afaria Architecture
The Afaria architecture is designed for your enterprise environment to help you manage your desktop and mobile computing devices. The following Afaria terms help to provide an understanding of the Afaria product: Afaria server Afaria is a server-based solution that can operate as a single, standalone server or as multiple servers in a server farm environment. The Afaria server communicates with the Afaria database and additional components or clients as necessary. Standalone Afaria server a single Afaria server operating as the only server in an Afaria installation. The server has a one-to-one relationship with the Afaria database. Afaria server farm multiple Afaria servers operating together in an Afaria installation. The servers have a many-to-one relationship with the Afaria database. A server farm includes one main Afaria server and one or more replication servers. All servers in the farm can access the database and host Afaria client sessions. Peer Afaria servers Afaria servers that operate as separate Afaria installations. Peer servers access different Afaria databases and support different sets of Afaria clients.
Afaria Administrator, the application the Web application that provides an interface for the Afaria server. Use Afaria Administrator to define the server configuration, define access policies for Afaria Administrator users, manage Afaria clients, monitor system activity, and communicate with other Afaria servers. Afaria administrator, the individual the person that installs and operates the Afaria product. Afaria clients user devices, such as handheld devices, smartphones, and laptops that Afaria manages. Clients either have an Afaria agent installed or have a native capability or third-party application that Afaria features use to interact with the hosting device. (Optional) Relay server operates as a proxy for HTTP and HTTPS connections between an Afaria component server, such as an Afaria server or an OMA DM server, and its clients. Using a relay server increases enterprise network security by moving the session connection point from within your firewall to outside your firewall. (Optional) OTA Deployment Center Web server that provides Afaria agent deployment services for your clients. An administrator pushes Afaria agent installation packages out to the deployment center and then sends notices to device holders. Device holders can download the agent directly onto their device for installation. (Optional) iOS provisioning server for iOS client management, the Afaria iOS provisioning server sends configuration payloads to iOS devices. (Optional) Portal Package server for portal package operations, and for content not delivered from another source, the portal package server hosts and serves Afaria application packages to clients. (Optional) OMA DM server runs authenticated sessions with OMA DM clients to deliver messages that manage OMA DM clients. Clients are devices that have native support for device management via OMA DM standards and are known to the Afaria server.
Afaria Architecture
Afaria Server
The Afaria Server program is installed on the server that communicates with the database. The Afaria Server program has no user interface; settings and features are available through the Afaria Administrator Web application. Depending upon your licensing, other Afaria programs that reside on the Afaria server include: Create Client Installation a wizard that guides you through creating an agent installation package. Based on client type, you can choose different options that allow you to deploy the client via the OTA Deployment Center, a companion PC, a network, or client APIs. Software Catalog Editor software reference catalog for Windows software. The Afaria Inventory Manager component references a software catalog when reporting software installed on Windows clients. Channel Viewer lets you run Afaria sessions directly on your server machine. OTA Publisher lets you create and publish packages of agent setup files to a Web server deployment center (Afaria OTA Deployment Center) for deployment to your planned client devices. A device user can download a package from the deployment center to install the Afaria agent on his device without having to connect to a companion PC or network.
Afaria Administrator
Afaria Administrator is the Afaria Server programs interface, a Web-based application that you can access from any computer running appropriate versions of Microsoft .NET and Internet Explorer. Afaria uses role-based access policies to control user rights. Rights are associated with discrete functions in the user interface. An administrator with sufficient access policy rights can use Afaria Administrator to view and manage operations and data. A user with limited rights might be limited to view-only access of a single functional area.
System Requirements and Release Notes
System Requirements and Release Notes

Before you install your Afaria components, ensure that your environment complies with the system requirements. Complying with system requirements and reviewing the information in the release notes helps you to take full advantage of features and operate your system appropriately. Complete system requirements are delivered with your order fulfillment. They are also available in the product release notes available on the technical support site. The release notes include information about product known issues and fixed issues. Consider these advisories prior to starting the installation: Running Afaria and RemoteWare products on the same machine is not supported; you must install each product on a separate machine. Installing Afaria and its associated server-side components requires that you have physical access to the target servers. Using terminal services or comparable means is not a viable method for installation.
Installing Afaria
Installing Afaria
Follow an installation workflow to install Afaria on a server that does not have the Afaria software installed or when you want to install again to new installation path. An installation workflow defines the process for planning and installing your Afaria environment. Identify the scenario that best describes your situation and requirements: (Evaluation licence only) Installing in a simplified environment Installing in a standard environment, including: A first-time install Installing to a new path
Installing a Simplified Environment

Use the express install to install an evaluation license for Afaria in a simplified, single server environment using a predefined database and local authentication. The express install option is valid only with an evaluation license on a 32-bit environment; it is not supported as a production environment. The express installation performs these actions: Installs and configures a SQL Anywhere database. Installs Afaria server and its related server applications with authentication enabled for local users. Installs the Afaria Administrator Web console. If licensed for OMA DM features, installs the OMA DM server.
1 2 3
Prepare for the install by creating a Windows user account for operations. Start the setup program. Enter your license key. You must have an evaluation license key to continue.
Complete an express install.
10
Installing Afaria
Installing a Standard Environment

Use the standard install to install Afaria with a separately installed database, Afaria server, and Afaria Administrator Web console. A standard environment is appropriate for installations with one or multiple Afaria servers.
1 2
Prepare for the install, including creating a Windows user account for operations and establishing your database environment. On your planned Afaria server, enter your license key and complete the Afaria server installation. If your installation is planned to have only one Afaria server, the server is a standalone server. If your installation is planned for a farm, the first server installed is the master or main server.
3 4 5
On your planned administrator server, complete the Afaria Administrator installation. Complete procedures for getting started with operations. (Server farm) For each additional server, prepare for the install by creating a Windows user account for operations, enter your license key, and complete the Afaria server installation. The additional servers in a farm are called farm or replication servers.
Reinstallation
Reinstall Afaria when changing your database, changing the authentication type, adding newly licensed features or capacity, or repairing Afaria. Reinstallation is re-running an installation on an Afaria server or administrator server that already has the same version of Afaria installed. Reinstalling is appropriate for repairing problems associated with corrupted or deleted files, and for making certain types of changes to your current installation.
Upgrade
Upgrade is running an installation on an Afaria server or administrator server that has a version of Afaria installed that is supported on the upgrade path. An upgrade is defined as upgrading the complete environment; the clients must upgrade along with the server and administrator components. Follow an upgrade workflow to install a more recent version without having to uninstall and install new. You can upgrade to Afaria 6.6 from any 6.0 SP1 or 6.5 configuration.
11
Preparing to Install Afaria

Complete preparatory steps before installing Afaria components.
1 2
Create a Windows user account with appropriate attributes. (Production licences, not using express install) Create your database environment. If you have an evaluation license and plan to install the simplified, express install, the installation process creates your database environment for you.
Creating User Accounts for Installing and Operating Afaria

Create a Windows account to provide a user context for running the Afaria server as a Windows service and authenticating domain users. Running the server as a Windows service means the server operates without an administrator logging on to start the program. If the server reboots, Afaria starts automatically.
1
On the planned server, create a local or domain Windows user account with the following attributes: Password Never Expires Logon as Service
2 3 4
Add the user to the planned servers local administrators user group. Record the account credentials to use when you install the Afaria server and the Afaria Administrator programs. (Active Directory environment) On the domain controller, update the user account properties (AccountName > Properties > Account > Log On To) to ensure the Log On To list of logon workstations is either unrestricted or includes the planned Afaria Administrator server and all planned Afaria Administrator browser computers. For each additional domain that you plan to authenticate users against for operations, and using the same credentials and attributes as the first account, create a local account on the domains domain controller.
The Afaria Database

The Afaria server uses a database to log system activity and data. Unless you have an evaluation license and plan to install the simplified, express install, install and configure your database prior to installing the Afaria Server program. The express install includes database installation and configuration. If you are planning to create a server farm environment, all the servers in the farm access the same database. The product supports using iAnywhere SQL Anywhere, Microsoft SQL Server, or Oracle for the Afaria database. Configure only one type of database.
12
Refer to the system requirements for complete database support information.
Estimating Your Database Size Requirements

Estimate your database size to understand your weekly disk space requirements for operations with all logging enabled. Plan disk availability based on requirements.
1
Estimate values for the following factors: # of sessions per day Average session size
Apply the factor estimates to the daily formula for estimated growth per day: (# of sessions per day) * (average session size) = Estimated growth per day
Apply the daily estimate to the weekly formula for estimated growth per week: (estimated growth per day) * 7 = Estimated growth per week
For example, to determine the weekly disk space growth for 1000 daily sessions with an average session size of 60 KB: (1000 sessions per day) * (60 KB average session size) * 7 days = 420 MB So in this example, the database is estimated to grow by 420 MB per week. Consider the following items for calculating estimates: Add 1 MB of data per week to the estimate for each Inventory Manager client. Using Inventory Manager to perform client directory scans on Windows clients adds significantly more data to this estimate. Sessions with 100 events add an average of 40 KB in database growth per session in additional log data.
Creating a SQL Anywhere Database and User

If you plan to use Sybase iAnywhere SQL Anywhere database with Afaria, create the database for operations, and an associated user to provide a user context to access the database.
1
Create a database. Use default configuration settings with the exception of the following attributes: Install jConnect metadata support Disabled. Page size 8192 KB minimum.
2 3
Create a database user for the Afaria service to use for database access. Assign the database administrator (DBA) authority to the user. Connect to the new database using the following network database server properties:
13
Identification Database user name and password that you created for Afaria database access. Database Indicate the Afaria database server name and start line dbsrv11.exe, as well as the database name and file. Do not start the database using start line dbeng11.exe, which is for non-network database servers and does not support enough database connections for the Afaria service. It is strongly recommended that you have only one instance of dbsrv11.exe per database.
For details, see your SQL Anywhere documentation on http://sybooks.sybase.com.
Configuring the SQL Anywhere Database for Operations

For Sybase iAnywhere SQL Anywhere operations, prepare your database environment for sustainability and availability. To create a Windows service that automatically starts the database whenever the Afaria server is restarted:
1 2 3 4
In Sybase Central, select the Services tab and run the New Services Wizard. Select service type. Specify the executable. Specify the parameters. -n database name. -x tcpip C:\AfariaDB\afaria.db. This instructs the database server to only run the TCP/IP network driver.
5 6 7 8
Local system account. Select Automatic. Start the server now. Upon completion of the wizard, create a system event to backup and truncate the log. Log size 50 MB is recommended for an initial setting.
For details, see your SQL Anywhere documentation on http://sybooks.sybase.com.
14
Creating a SQL Server Database and User

If you plan to use Microsoft SQL Server database with Afaria, create the database for operations, and an associated user to provide a user context to access the database.
1
Create a database with the following attributes: Datafiles Automatically Grow File, Unrestricted Filegrowth. Transaction Log Minimum size 25 MB, Automatically Grow File, Unrestricted Filegrowth.
2 3
Create a role called db_executor with the execute right. For the user you plan to use for Afaria operations with the database, ensure the user has the following attributes for your Afaria database: Default schema dbo Role db_ddladmin Role db_datawriter Role db_datareader Role db_executor Password does not contain the semicolon (;) character
For details, see your SQL Server documentation.
15
Example SQL Script for Creating a SQL User for Afaria Database Operations This example script creates a new role with the execute right for a database named Afaria and assigns the user JBrowne all the required attributes the user needs for Afaria operations.
--For a database named Afaria and a login named JBrowne, create a User named JBrowne and grant the user the appropriate rights.
USE Afaria GO
--Create a new role for executing stored procedures CREATE ROLE db_executor --Grant stored procedure execute rights to the role GRANT EXECUTE TO db_executor GO
--Assign user to dbo and required roles IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'JBrowne') BEGIN CREATE USER [JBrowne] FOR LOGIN [JBrowne] WITH DEFAULT_SCHEMA = dbo EXEC sp_addrolemember db_ddladmin, JBrowne EXEC sp_addrolemember db_datawriter, JBrowne EXEC sp_addrolemember db_datareader, JBrowne EXEC sp_addrolemember db_executor, JBrowne END;
16
When you install the Afaria server, use the credentials from a user like this one if you choose SQL authentication for the Afaria database. If using Windows integrated authentication instead of SQL authentication, the Windows user requires the same rights and roles.
Configuring the SQL Server Database for Operations

For Microsoft SQL Server operations, prepare your database environment for sustainability and availability. Verify that logs are truncated on checkpoint:
1 2 3
Right-click the database and select Properties. In the Properties window, click the Options tab. In the Recovery section, click the Model list box and select Simple.
For details, see your SQL Server documentation.
Setting Up Oracle for Afaria

If you plan to use Oracle database with Afaria, create a user with appropriate role and system privilege attributes and a Net service for Afaria-Oracle communications.
1 2
Install the Oracle client on the planned Afaria server. Create a user account on the Oracle Server. Grant the account the following roles and system privileges to the database: Role Connect, Resource System Privileges Create Table, Create Trigger, Create View, Create Sequence, Create Procedure, Unlimited Tablespace.
3 4
Create a Net service to allow the planned Afaria server to communicate with the Oracle Server. Restart the Afaria server.
For more details on configuring the Oracle database, see your Oracle documentation.
17
Preparing for Upgrading the Platform

You can upgrade to Afaria 6.6 from any 6.0 SP1 or 6.5 configuration. Afaria 6.0 customers must apply 6.0 SP1 to the Afaria server, and allow clients to upgrade to 6.0 SP1, before upgrading to Afaria 6.6. Afaria 6.5 clients can upgrade directly to Afaria 6.6. Before you upgrade your Afaria components, validate all the prerequisites and system requirements in order to take full advantage of its features and to ensure that the your system operates with maximum efficiency.
All customers are advised to have an Afaria system backup in place prior to beginning an in-place upgrade. A system backup includes the database, application software, and application data. Complete system requirements are available in the product release notes available on the technical support site. You must ensure that your environment complies with the system requirements before installing or upgrading Afaria.
Afaria Server Upgrade The following steps summarize the procedure for upgrading an Afaria installation that includes a single Afaria server.
1 2 3 4
Stop Afaria services. Upgrade the server. Do not start the Afaria Server service at this time. Upgrade the Afaria Administrator application. Start Afaria Server service.
Afaria Server Farm Upgrade Upgrading a farm environment has additional requirements to complete the upgrade. The following steps summarize the procedure for upgrading an Afaria server farm environment.
1 2 3 4 5 6
Stop Afaria services on all replication servers. Upgrade the main Afaria server. Do not start the Afaria Server service at this time. Upgrade the replication servers. Upgrade the Afaria Administrator application. Start Afaria Server service on main server, then replication servers. Replicate appropriate channels to replication servers.
18
Preparing for Discontinued Server/Client Operations

For customers that use the Windows client on the Afaria server for tasks prior to upgrading, consider implementation changes to the Afaria server and adapt your operations as is appropriate for your requirements.
1 2
Prior to upgrading, review the role of the Afaria servers Windows client in your environment. Consider the upgrade implementation changes that impact your operations. The Channel Viewer interface for Windows client is supported only on 32-bit environments. The Afaria server is supported on 64- and 32-bit environments. The Windows client is always installed on a new Afaria server without Channel Viewer. You can add Channel Viewer on supported environments by installing a Windows client with the Channel Viewer option from the Afaria Create Client Installation program. If upgrading to a 64-bit server environment, Channel Viewer is removed during the upgrade, as it is not supported in a 64-bit enviroment. If upgrading to a 32-bit server environment, and Channel Viewer was installed prior to upgrading, then Channel Viewer is preserved during the upgrade. The Windows client has a separate installation path than the Afaria server. For Session Manager operations, consider how you are using references and variables: References that use absolute paths may break. Relative paths that use a client path variable, such as <ClientDataDir> are still correct. Relative paths that use a server path variable, such as <ServerInstallDir>\TestHTML may break.
After upgrading, adapt your operations according to the new implementation and your requirements.
19
Preparing for Continued iOS Device Management

For customers that used iOS configuration policies (formerly iPhone configuration policies) prior to upgrading, policies are no longer accessible from the Afaria Administrator application, and a new a configuration policy implementation is in place. Create or import new policies as your requirements dictate. Upgrading retains existing iOS device definition records, as well as any associated user-defined variables that have values.
1 2
Upgrade Afaria to the current version. To review your preupgrade iOS policies and assignments report, run the iOS upgrade utility and click View Report. Utility path: <ServerInstallDir>\Bin\iPhoneMobileconfigExport.exe The report identifies the Afaria 6.5 policies assigned to each Afaria 6.5 device definition.
3 4
(Optional) To export former iOS configuration policies for use with the new implementation, run the iOS upgrade utility and click Begin Export. On the Afaria Administrator, import or create new policies. To import policies, on the Administration > Policies and Profiles page, click Import iOS Mobile Configuration File on the toolbar. To create new policies, on the Administration > Policies and Profiles page, right-click Policies and select New > Device Configuration. Add iOS clients to new or existing client groups. Add client types, client groups, and policies to new or existing group profiles. For the group profile or the client group, send an outbound notification to apply policies. The notification causes clients to connect to the iOS provisioning server.
5 6 7
20
Preparing for Continued Exchange Access Control Operations

If you are upgrading from a pre-6.5-FP2 version of Afaria, prepare for changes to the Afaria Access Control for Exchange features. Upgrading makes changes to defined synchronization policies.
1
Before upgrading, in the Afaria Administrator application, select Server Configuration > Properties > Exchange ActiveSync Policy to review your current default policy and time frame settings. After upgrading, revisit the renamed page by selecting Server Configuration > Properties > Exchange Access Policy to review your upgraded settings. Change any settings as is appropriate for your requirements. See Afaria Reference Manual | Platform > Properties > Exchange Access Policy.
21
Preparing for Continued SSL Communications

If you are upgrading from a pre-6.5 version of Afaria, check certificate requirements and password assignments to insure SSL communication is uninterrupted. For environments that operate with SSL communications, continuing SSL support may be critical to your operations. Check these items to ensure that your SSL sessions can continue without interruption:
1
Valid certificate requirements Afaria 6.5 allows SSL sessions to run only when the servers certificate is valid, as evaluated against the following criteria: The certificate is signed by a trusted CA or a trusted self-signed CA. The certificate is not expired. The Common Nametypically the fully qualified domain nameon the certificate matches the address that the client used to initiate the session. The certificate is valid for encryption and authentication. The certificate is compliant with x.509 certificate standards. Supported formats: Base64encoded x.509 (.CER) and Personal Information Exchange (.PFX). You can convert a nonencoded x.509 certificate to a Base64-encoded certificate by using a save as or export process in a certificate editor such as the Microsoft Certificates utility (CertMgr.msc). If the product detects an invalid certificate after the upgrade, all SSL connections are terminated until a new, valid certificate is installed. The certificate key is an RSA key.
Certificate password assignment In contrast to previous releases, the upgraded environment requires a password for all certificates. Therefore, to facilitate a working environment after upgrade, the upgrade assigns password password to the certificate. You can use the Server Configuration > Properties > Client Communication > View to view your certificate and change the password to a privately known value.
22
Preparing for Continued OMA DM Operations

If you are upgrading from a pre-6.5 version of Afaria, and currently using the OMA DM trust task, prepare for continued operations by replacing the task to adopt new implementation.
1 2 3 4 5
Upgrade server and administrator. Restart services. Modify existing trust task, change action to remove. Add a new trust task into the same policy but after the pre-existing trust task. Define the task with an add action and select any additional rights to enforce. Connect OMA DM clients to deploy updated policy.
23
Preparation for Upgrading to the Multitenancy Environment

Multitenancy is a separately licensed product feature introduced with Afaria 6.5 that allows hosting providers to manage multiple enterprises from a single Afaria implementation. See also Afaria Reference Manual | Platform > Using Tenants and Multitenancy to learn about multitenancy and how it supports your role as a hosting administrator.
Transitioning Clients and Assets into Mutitenancy Features

After upgrading, follow this general task flow to migrate your client base from single-tenant operations to multiple-tenant operations without interrupting schedules or work. A newly upgraded environment, one that has been upgraded from a nontenant environment to a multitenant environment, continues operations without disruption to scheduled client sessions or the work tasks operating in the pre-upgrade environment. All upgraded clients and assets, such as profiles and their associated policies and channels, default to the predefined system tenant during the upgrade.
1 2 3
Define tenants. Define access policies that associate roles with tenants. For each tenant, define assets and connect clients: Define client groups. Define profiles and associated assets that continue your operations according to your requirements. You may continue to use system tenant assets, as shared by the system tenant and available to all tenants, or you can define new, tenant-specific assets. Assign client groups to profiles, as appropriate for your operations. Change client tenant associations from the system tenant to the new tenants. Connect clients.
When clients connect, they automatically pick up their new tenant association and begin using their assigned profiles.
Defining New Access Policies Tenant Attribute for Roles

Revisit access policy roles after the upgrade to determine whether the postupgrade value for the Tenant attribute is appropriate for your requirements. The new Afaria Administrator Server
24
Configuration Tenants page introduced by the multitenancy feature introduces a new Tenant role definition item in the Server Configuration role definition tree.
1 2
On the Afaria Administrator application, open the Access Policies page. For each role, open Role Definition > Server Configuration > Tenants and select Create, Modify, or Read, as appropriate for the role.
Re-evaluating Upgraded Custom Data Views and Custom Reports

Re-evaluate upgraded custom items after accumulating data to determine how custom views and reports are performing. Database changes introduced by the multitenancy feature have implications for custom data views and custom reports. The upgraded environment attempts to filter results by tenant by modifying the associated SQL script at runtime. However, these modifications may not always be successful.
1 2 3 4
Perform the upgrade. Create a few tenants. Accumulate some data in each tenant. Run custom views and reports. Custom items produce one of the following results: Error-free results that are filtered by tenant Error-free results that are not filtered by tenant Fatal errors during execution
If custom items result in fatal errors, delete damaged items and re-create them in the new environment, taking the new database design into consideration. Custom items that you create after the upgrade are available to all tenants, rather than only for the originating tenant.
See Afaria Reference Manual | Platform > Data Views to learn more about creating custom views in a multitenant environment.
25
Preparing for Upgrading Clients
Preparing for Upgrading Clients

Afaria clients upgrade automatically, using the Afaria Electronic Software Delivery (ESD) feature, as they connect to an upgraded Afaria server. When upgrading fails due to the Afaria platform no longer supporting a clients operating system, the system records the event in the Messages log. The upgrade connection performs only an upgrade and does not execute other operations, such as running requested channels. Use a subsequent connection to continue operations.
Data Security Manager Clients that use Encryption

If you are upgrading from a pre-6.5 version of Afaria, the Data Security Manager method for interpreting paths and file names for encrypting and specifying items is changed. A folder name now requires a backslash terminator. A folder name without a backslash is interpreted as a file. For example: \Temp\ declares a folder, while \Temp declares a file. This distinction may render previously encrypted files as decrypted. Consider the following cases: Pre-upgrade specification: \Temp if \Temp directory exists, all files in directory are encrypted. if \Temp directory does not exist but file temp does, encrypt only the file
Upgrade specification without backslash terminator: \Temp encrypts only file temp without regard to presence or absence of directory of same name Upgrade specification with backslash terminator: \Temp\ encrypts all files in folder
See Afaria Reference Manual | Components > Data Security Manager for Handheld Clients > Lock Down Options > Path and File Name Data Items to learn defining items for encryption and items for deleting specified data.
Clients in the Multitenancy Environment

See Preparation for Upgrading to the Multitenancy Environment on page 24.
26
Starting the Afaria 6.6 Setup Program
Starting the Afaria 6.6 Setup Program

Your Afaria license key determines which setup options appear on the setup menu and which are enabled. Install all installation items only from the setup menu. Installing menu items directly from a product image folder may yield undesirable results.
1 2 3 4
On the server of interest for a planned installation item, close all running programs. Copy the entire Afaria product image to a local destination. On the root directory of the image, locate the setup.exe file. Open setup.exe to launch the setup program and open the Afaria Setup Menu.
Locating Product Documentation

Locate documentation for help with installing and using the product. Documentation is included on the product installation image.
1 2 3
Start the setup program. Click Documentation. Click the item of interest. Readme includes information about finding system requirements and release notes on the technical support site and information about what is located on the product installation image. Installation guide the English version of Installing Afaria. Installing Afaria is available in additional languages by clicking Documentation folder on the documentation menu and navigating the language folders. Documentation folder opens the \Documentation folder on the installation image. All product documentation is available in English. Some documents are available in additional languages.
27
Entering or Updating Your License Key
Entering or Updating Your License Key

Enter or update your license key for new installations and any time you receive a new key associated with a licensing change. The key defines which setup menu options are available. For updating the license key, perform the update on each Afaria server.
1 2 3
Start the setup program. Click View or Update License Key. Type your license key into the key box. Choose Licensing Details to review your licensing information. The maximum number of concurrent sessions supported per server depends on your licensing. The ability to run the maximum number of licensed concurrent sessions depends upon the amount of memory, the speed, and number of the processors on your server.
4 5
Choose Apply to save the license key and return to the setup menu with your licensed options available. For updating your license key, complete a reinstallation for the server. The reinstallation updates the server as necessary to support the license change.
28
Installing an Express Install
Installing an Express Install

The express install option is valid only with an evaluation license on a 32-bit environment. Use the express install to install Afaria in a simplified environment. Installation requires that you have a user account established for installing and operating Afaria. The express installation performs the following actions:
1 2 3 4
Installs and configures a SQL Anywhere database. Installs an Afaria server and its related server applications with authentication enabled for local users. Installs the Afaria Administrator Web console. If licensed for OMA DM features, installs the OMA DM server. Start the setup program. Click Express Evaluation Install. The program opens the End User License Agreement dialog box. Click Yes or No to indicate your acceptance or rejection. The installation continues only when you accept the agreement. Specify the account name and password to use to run the Afaria service. The Express install includes an evaluation copy of SQL Anywhere. You may need to acknowledge one or more informational dialog boxes that describe the evaluation product.
Click Install.
See also Creating User Accounts for Installing and Operating Afaria on page 12.
29
Installing Afaria Server 6.6

Install the Afaria server as the first server component in your Afaria installation.
Starting the Server Setup Program

Start the server setup program and install a server. Installation requires that you have your database installed and configured for Afaria, and that you have a user account established for installing and operating Afaria.
1 2 3 4
Start the setup program. On the setup menu, click Install. Click Server. The program opens the End User License Agreement dialog box. Click Yes or No to indicate your acceptance or rejection, and then click Next. The installation continues only when you accept the agreement. Accepting the agreement opens the Welcome dialog.
5 6
Select the database. Continue with selecting database options.
See: The Afaria Database on page 12 Creating User Accounts for Installing and Operating Afaria on page 12 Selecting SQL Anywhere Database Options on page 30 Selecting SQL Server Database Options on page 31 Selecting Oracle Database Options on page 31
Selecting SQL Anywhere Database Options

If you selected iAnywhere SQL Anywhere, continue with the SQL Anywhere Server Setup dialog.
1
Select your SQL Anywhere server name from the SA Server Name list. The list populates only with names of SQL Anywhere servers on the same subnet. If you need to locate a SQL Anywhere server outside the subnet, select the Edit Host/Port check box in order to provide the server information. The Host name may be a machine name or IP address.
Select a login type.
30
Integrated login. Select this option to integrate your Windows login with your SQL Anywhere login. SA user login. Enter the login information for the database user with DBA authority that you created for your Afaria database.
Click Next to continue. On the SQL Anywhere Server database dialog, type the name of the database you created for Afaria, and then click Next to continue. The Afaria installation program validates the database you specify. If you type the database name incorrectly or type the name of the wrong database, you may see a Request to start/stop database denied error. If you are installing a replication server in a server farm environment, you must select the database for the existing Afaria server.
Continue with selecting server options.
See Selecting Server Options on page 33.
Selecting SQL Server Database Options

If you selected Microsoft SQL Server, continue with the SQL Server Setup dialog.
1 2
Select the SQL Server to use with Afaria. Select either Windows Authentication to use a Windows administrator account with SQL Server privileges or SQL Server Authentication to use the SQL Server account with its associated password that you set up for Afaria. Click Next to continue. On the SQL Server Database dialog, select the database you configured for Afaria. If you are installing a replication server in a server farm environment, you must select the database for the existing Afaria server. If you are reinstalling the Afaria server as standalone, you must select a new database.
3 4
Selecting Oracle Database Options

If you selected Oracle database, continue with the Oracle Setup dialog.
1 2 3
Select your Oracle driver and enter the Oracle service name. Enter the credentials for the service: user name and password. Click Next to continue.
31
32
Selecting Server Options

Select options for naming and operating the server.
1 2 3 4
On the Confirm Server dialog, review the information to ensure it is consistent with your intention, and click Next to continue. On the Directory Selection dialog, accept the default location or click Browse to navigate to a new location. On the Service Account dialog, specify the account name and password you created for operating Afaria. In the Server Selection dialog, accept the default name or enter a descriptive name for the Afaria server. Each replication server in a server farm must have a unique name. The server name must not include the backslash (\) character.
If you are installing a main or standalone server, continue with selecting the authentication type. If you are installing a replication server for a farm, continue with completing the installation.
See: Creating User Accounts for Installing and Operating Afaria on page 12 Selecting Authentication Type on page 34 Completing the Installation on page 36
33
Selecting Authentication Type

Select the user authentication type for client connections. Local authentication is always enabled.
1
In the Type of authentication dialog, select your authentication type. NT domain authentication select NT domain-based and enter the domain you plan to use for authentication. As the administrator, you must also be a member of this domain.
If you do not choose a domain during installation, you can add a domain for authentication on the Server Configuration > Properties > Security page. To allow users to use blank passwords, additional operating system settings are required. Refer to Afaria Reference Manual | Platform > Server Configuration > Properties > Security to learn more about the requirements for allowing blank passwords.
Local authentication select NT domain-based and keep <none> as the domain. LDAP authentication Select LDAP-based.
For NT domain or local authentication, click Next to continue with completing the installation. For LDAP authentication, click Configure LDAP and continue with configuring LDAP information.
See Completing the Installation on page 36 and Configuring LDAP Information on page 34.
Configuring LDAP Information

Configure LDAP settings to support LDAP user authentication and channel assignments.
1
In the LDAP Server Login Information dialog, enter login information. Server Address enter your LDAP server address as either a fully qualified domain name such as afaria.mycompany.com or as an IP address. Port Number Afaria automatically defaults to the LDAP standard port 389. If you enter another port number, you must enter a number greater than 1024. Server Type select your LDAP Server type. Use SSL select to enable SSL communication with your LDAP server. SSL Port Number define the LDAP server port for SSL communications. Anonymous Login select Anonymous Login to allow the Afaria server to communicate with the LDAP server without using a dedicated LDAP user account for the server. If using anonymous login, configure your LDAP server to allow a search of the directory structure for users, user groups, and organizational units and all of their attributes. User DN if not using anonymous login, enter the User DN (Distinguished Name) for the LDAP account the Afaria server uses to communicate with the LDAP server. If you dont
34
know the user name for the account, click Search User. You must have an LDAP proxy user configured for an anonymous login to be able to search for users. You can enter a name using a wildcard character to search for the correct User DN. For example, you can enter *mith or *mit* to search for Smith.
2 3
Password enter the password for the LDAP account the Afaria server uses to communicate with the LDAP server.
In the LDAP Root Directory dialog, select a root directory that contains all of the groups, organizational units, and users the server requires for authentication and assignments. In the LDAP User Characteristics dialog, select a characteristic. LDAP Class Name for Users select or enter the LDAP Class Name for Users. User Name Attribute select or enter the user name attribute to use in the LDAP environment. When client users connect to the server, they enter the user ID as the user name you specify.
In the LDAP Container Settings dialog, select a membership basis for assigning channels to users. Support OU membership select to assign channels to users based on their organizational unit (OU). Support OU and group membership select to assign channels to users based on both their OU and groups.
Continue with completing the installation.
See Completing the Installation on page 36.
35
Completing the Installation

Continue with the Ready To Start Installation dialog box to complete installation.
1
On the Ready to Start Installation dialog, click Install. The Setup Complete dialog opens when the installation is complete.
If you receive a message that a file is in use, choose an appropriate action. Abort quits the installation. If you are reinstalling and you abort the installation, you may find that some of the files were updated and some were not, leaving the installation in an undesirable state. Run the install program again to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again. Retry close the application using the file specified, and then select Retry. Setup tries to install the file again. If the installation does not continue, select Ignore. Ignore continues the process but requires you to restart the computer in order to complete the installation.
You may be prompted to restart your computer when the file copying process is completed. After restart, the installation program continues from the point at which it was interrupted.
3
Select whether to start the service at this time. To allow connections immediately, start the service. To continue with additional installations and configuration, do not start the service.
Click Finish.
36
Installing Afaria Administrator

Install Afaria Administrator on ether the Afaria server or a different server.
1 2 3 4
Start the setup program. On the setup menu, click Install. Click Administrator, and click Next to continue. On the Select Virtual Directory dialog, define the virtual directory for Afaria in IIS. If you created a directory, select it from the list. If you have not created a directory, type the name for the directory to create it. The directory appears in the IIS directory under Default Web Site.
On the Select Physical Directory dialog, enter the physical location to install Afaria Administrator files. If you are installing Afaria Administrator on the same server as the Afaria server, install Afaria Administrator in a different directory.
6 7
On the Specify Credentials dialog, specify the account name and password you used for the Afaria server installation. On the Domain Selection dialog, enter the domain for selecting Afaria Administrator users to administer the Afaria server. To limit selection to only local users, keep <none> as the domain. On the Ready To Start Installation dialog, click Install to begin the installation. The Setup Complete dialog box opens at completion.
If you receive a message that a file is in use, choose an appropriate action. Abort quits the installation. If you are reinstalling and you abort the installation, you may find that some of the files were updated and some were not, leaving the installation in an undesirable state. Run the install program again to restore stability and normal operations. If normal operations do not resume, uninstall the program and install it again. Retry close the application using the file specified, and then select Retry. Setup tries to install the file again. If the installation does not continue, select Ignore. Ignore continues the process but requires you to restart the computer in order to complete the installation.
You may be prompted to restart your computer when the file copying process is completed. After restart, the installation program continues from the point at which it was interrupted.
10 On the Setup Complete dialog, click Finish to close the installation program.
An Afaria Administrator shortcut appears on the desktop.

11 If you used a predefined virtual directory for this installation, rather than allowing the setup
program to create one for you, then verify the Afaria Administrator IIS settings before operating the Afaria Administrator program.
37
See Verifying Afaria Administrator IIS Settings on page 38.
Verifying Afaria Administrator IIS Settings

If you used a predefined virtual directory when installing Afaria Administrator, rather than allowing the setup program to create one for you, or if you are having problem accessing Afaria Administrator from a browser, verify the IIS settings.
1 2 3
Using Windows IIS Manager, locate the virtual directory created for Afaria Administrator. Right-click the virtual directory and select Properties. Verify the appropriate settings. On the Virtual Directory page verify the installation path for Afaria Administrator, verify that read and write access is enabled. On the Documents page files default.asp and default.aspx appears in the list. On the Directory Security page in the authentication and access area, click Edit. Ensure that anonymous access is disabled and Integrated Windows authentication is enabled.
To test the virtual directory, right-click it again in IIS select Browse. The Afaria Administrator home page should open in your browser.
If you have stopped and restarted IIS at any time before opening Afaria Administrator, ensure that when you restarted IIS that the WWW Publishing Service also started. If it is not started, you can reset IIS, or you can restart it manually. This service must be running in order for you to open Afaria Administrator.
Changing the IIS Connection Timeout Value

Change the IIS connection timeout value to prevent the Afaria server from disconnecting with an inactive browser user. Disconnected sessions can result in data loss.
1 2 3
Using Windows IIS Manager, locate Default Web Site. Right-click Default Web Site and select Properties. In the connections area, increase the time out to meet your needs. When you change this value, it impacts all the Default Web Site members. Ensure you have determined an acceptable value for all sites.
38
Click OK.
39
Starting Operations
Starting Operations
To get started with Afaria after completing the installation, complete tasks that prepare for, and validate, basic operations. Product documentation guide Afaria Reference Manual | Platform covers these and other tasks in greater detail.
1 2 3
Log in a first time using the installing user account context. Add your Afaria server to the server list. Add yourself as a user for: Afaria operations (Optional) Afaria access policies
4 5 6
Return to the default page by clicking Exit. Log in a second time using your Windows user account. Start the Afaria server.
See also: Logging in as the Default User on page 40 Adding a Server to the Server List on page 41 Users and Roles in Afaria on page 41 Logging in as an Added User on page 42 Starting/Stopping/Restarting the Afaria Server on page 43
Logging in as the Default User

Use the default users credentials to log into the Afaria Administrator application. By default after installation, the only user that can log in to the Afaria Administrator application is the user that installed the product. If you are in a different user context, the application prompts you for the installing users credentials.
1
Open Internet Explorer and enter the Afaria Administrator address. Syntax: http://<AfariaAdministratorAddress>/<AfariaAdministratorVirtualDirectory> If your current user context is different from the user context for installing the product, then the Enter Network Password dialog opens. Enter the installing users name, password, and domain and click OK. Domain is not required when logging in to a local machine. The Afaria Administrator server list opens in your browser window without any servers on the list.
40
Starting Operations
Adding a Server to the Server List

Add your server to the server list for users to access. The server list is what Afaria administrators see and choose from when they log in to the Afaria Administrator product.
1
On the global navigation bar, click Access policies.
The Access Policies link and page is available only to the installing user and users assigned to the Access Administrator role.
1 2
Right-click Servers in the left pane and select Add Server. Type a name, address, and description for the server. The address can be either an IP or DNS address. The description helps Afaria users recognize named servers.
Click Test Server Connection. The test configures the connection, validates the address, and validates whether the server is running.
Users and Roles in Afaria

The Afaria Administrator application controls general access to the application. Once a user has general access, the Administrator application controls access to different features by using roles, to which users are, or are not, assigned. Access policies role Role for access to the Access Policies feature, which includes control over role assignments and adding and removing servers. Server operations roles Role for server operations, such as for individuals who perform administrative operations and provide support for users.
By default after installation, the only user with access policy rights is the installing user. Add users after adding one or more servers. For basic operations upon which you can build later, add yourself as a user in roles for: Access policies Server operations
41
Starting Operations
Adding a User for Access Policies

Add users to the Access Policies role to give them rights to add or remove users and servers. The product includes a predefined user role called Access Administrators. By default, the only user assigned to this role is the installing user. It is defined to enable access to the Access Policies feature, a link to which is located on the Afaria default page when logging in. Users not assigned to this role do not see the link and cannot access the feature.
1 2
On the Access Policies pages left pane, select Access Administrator. On the right pane, click Add. The Available Users list box populates with users from the local computer and from any domains that you included during product installation. Both user groups and individual users are included in the list.
3 4
Select a user or group from the available list and move it to the assigned list. Click OK.
Adding a User for Operations

Add users to the Administrator role to allow them unrestricted access to the server. The product includes a predefined user role called Administrators. Users not assigned to a role for a server do not see that server on the server list when they log in.
1 2
On the Access Policies pages left pane, expand the server you defined and select the Administrators role. On the right pane, click the Users tab and click Add. The Available Users list box populates with users from the local computer and from any domains that you included during product installation. Both user groups and individual users are included in the list.
3 4
Select a user or group from the available list and move it to the assigned list. Click OK.
Logging in as an Added User

Use your Windows user credentials to log in as a user. Log in to Afaria a second time, using your Windows user credentials.You can switch your user context by using the Logon As User feature.
42
Starting Operations
1 2
From the Afaria default page, click Logon As User. The Connect To dialog opens. Supply your Windows user credentials and click OK. The default page opens with content appropriate for your user role. Your user context displays on the banner.
Starting/Stopping/Restarting the Afaria Server

Use Start, Stop, or Restart commands to control the state of the Afaria Server. Server/client sessions can run only when the server is started. You can conduct other operations, such as reviewing logs or reports, performing server configuration, or performing administration and user support tasks when the server is in a stopped or started state. Some configuration changes require restarting the server to take effect.
1
From the Afaria default page, click the role link that is associated with the server to start. The Server Status page opens. The page includes a dynamic link that changes between Start Server or Stop or Restart Server, depending on the current state of the server.
Click the Start Server or Stop or Restart Server link to open the Current Status dialog. The dialog is dynamic based on the current state of the server and the relevant actions. Click on the appropriate action: Start start a stopped server Stop stop a started server Restart stop then start a started server
43
Starting Operations
Accessing Afaria Administrator from a Remote Location

Use remote access to log into the Afaria Administrator Web application when you do not have physical access to the Afaria Administrator server. If a user uses only one browser type32- or 64-bitthis process is required only once for that browser. If a user uses both browser types, it is required once for each browser.
1
Open Internet Explorer and type the address for the Afaria Administrator installation you want to view. Syntax: http://<AfariaAdministratorAddress>/<AfariaAdministratorVirtualDir> A configuration message opens in your browser window, similar to the following example:
2 3
Right-click the Click to configure security link and select Save Target As on the shortcut menu. Save the file to your computer. Open or run the downloaded file to open the Security Configuration Manager dialog box.
4 5 6 7
Type the Afaria Administrator address from the dialog box according to the format http:// <localhost>/<VirtualDirectory> and click OK. Click OK to close the Success message box. Close Internet Explorer. Open the Afaria Administrator shortcut on your desktop. Internet Explorer opens and launches Afaria Administrator. The server list appears. It is populated only with Afaria servers for which you have access rights. For more information, see Adding a Server to the Server List on page 41.
44
Starting Operations
Server Configuration
The Server Configuration features let you to define system-wide parameters. This section briefly covers each link in the Server Configuration area. For more details about server configuration, see the Afaria Reference Manual | Platform > Server Configuration.
Server Configuration: Properties

The Server Configuration Properties enables you to define parameters that define client communications, server performance, and settings for optional components. Properties > Communication use communication properties to configure parameters for communication sessions with your clients. These parameters include: Bandwidth throttling increase or decrease the communication rate throughout the course of a client session, allowing client users to run other network applications more effectively when they communicate with the Afaria server. Compression add files to or view the cache of compressed files that are frequently sent to clients. This reduces connection time and improves system performance. Client communication use the Client Communication page to define communicating with your Afaria clients including communication protocol, SSL certificate and key, and server address seed value for creating new clients. Differencing maintain different versions of files that you frequently send to clients; the server sends only the updated bytes of each file in the differencing cache. Server identification set or change the servers friendly name, which is visible to Windows Channel Viewer clients.
Properties > Server use server properties to configure parameters for server information and behavior. These parameters include: Contact provide Channel Viewer users with information regarding the person to contact if they have questions with their client devices or encounter problems during a communication session with the server. Exchange Access Config for the Afaria Access Control for Microsoft Exchange feature, the Exchange Access Config property page lets you define parameters for operating the ISAPI listener on the Afaria server. Failed session cleanup control how the system handles failed communication sessions between clients and the server. License view information about your system, including a list of licensed components and client types, the number of licensed sessions, expiration dates (if any), and a brief description of the license type. Logging policy determine the global logging policy settings. All logs are enabled by default.
45
Starting Operations
Log cleanup specify the cleanup time for the individual logs. OTA Deployment Center establish settings for Afaria client and Afaria server communication with the OTA Deployment Center. SMS Gateway define settings for an Afaria Short Message Service (SMS) gateway. Security configure settings for security measures, including authentication, domain assignments, and client approval. If you are using LDAP for authentication and assignments, you can also enable and configure SSL for LDAP to increase security when you communicate with your Windows clients. SMTP establish SMTP server settings for your Afaria-initiated, SMTP-based communications. User-defined fields create new fields in your database tables related to the A_CLIENTS table and read from/write to these fields using the session worklist variables Set Database Field and Get Database Field used for writing to or reading from the database. Outbound notification control the volume parameters for outbound notification sessions to keep the Afaria server from being overwhelmed with incoming sessions. Relay server define settings for using a relay server for your Afaria operations. The relay server operates as a proxy for HTTP and HTTPS sessions between the Afaria server and its Afaria clients.
Properties > Component configuration use component configuration properties to configure global settings for installed optional components. These parameters include: AV/Firewall define the disposition of new client files or pattern files and identifies the date of the last update. Backup Manager define the physical location for backup storage and define associated log and alert thresholds. Document Manager apply default location settings for your file selections and settings for alternate media sources. Exchange Access Policy define a synchronization policy for your enterprises devices that use Microsoft Exchange ActiveSync to synchronize with your organizations Microsoft Exchange Server. iOS Server define properties for the Afaria iOS provisioning server and the certificate authority (CA) server. OMA DM define the OMA DM server address properties that OMA DM clients need to communicate with the OMA DM server. Patch Manager define the location for storing downloaded patches.
46
Starting Operations
Server Configuration: Schedules

Use schedule properties to review and manage system-defined scheduled tasks. The system requires that these tasks execute on a regular basis for ongoing Afaria operations. You can change the schedule for a task or run a scheduled task on demand to suit your needs.
Server Configuration: Client Types

Afaria client types enable you to create and edit custom client types as subtypes to systemdefined client types. You may want to create client types for short-term or long-term management purposes. You can create a client type that is defined by the specific operating system, the version, and service packs that have been applied, and so on. You can use these client types when you assign management tasks.
Server Configuration: Alerts

Alert definitions enable you to define and manage which Afaria eventslogged actions or conditions relating to your Afaria server, Afaria Administrator, or Afaria clientsraise alerts on your Afaria Administrator. Alerts appear on the Alerts page when the event is detected so you can acknowledge and resolve them. Optionally, you define alerts to notify a contact when some event of interest occurs.
Server Configuration: Tenants

Use the Tenants page to maintain tenant records. A tenant is an entity that you can associated with a subset of the client base and its related operations and assets. You must create a tenant record before you can create clients for a tenant or use other multitenancy features.
Server Configuration: License Compliance

The License Compliance page enables you to track software licenses, including their installed versus purchased state on your Afaria clients, their effective and expiration dates, and how
47
Starting Operations
often users run specific applications. This page appears empty until you define software licenses in your database.
Server Configuration: Patch Console

The Patch Console page enables you to view a Microsoft product list and applicable patches that are available download from the Microsoft site. You may use the page to research and select patches for download and initiate the download action. Downloading patches is a prerequisite action for using Afaria Patch Manager to manage patch delivery to your Afaria clients. The Patch Manager component leverages Microsofts Baseline Security Analyzer (MBSA) and Windows Update Agent (WUA) technologies to keep your client information current. It requires relevant Microsoft executables for initial and ongoing operations. Refer to Afaria Reference Manual | Platform for instructions on obtaining these executables.
48
Additional Installation and Resource Items
Additional Installation and Resource Items

Additional installations are available on the Additional Installations and Resources menu. These items are available: OTA Deployment Services on IIS install Over-the-Air (OTA) Deployment Center in a Windows IIS environment. Access Control for Exchange install the Afaria ISAPI filter on a Microsoft Exchange Servers IIS Server to support Afaria Access Control for Microsoft Exchange features. SMS (Short Message Service) Gateway Resources access third-party resources for installing SMS gateway components. iOS Installations install the Afaria Provisioning server on an IIS Server or the Afaria Simple Certificate Enrollment Protocol (SCEP) Plug-In Module on your certificate authority (CA) server. These components support Afaria iOS features. OMA DM (Open Mobile Alliance Device Management) install the OMA DM server to send OMA DM messages to OMA-DM-enabled devices that are known to the Afaria server.
49
Setting Up the OTA Deployment Center

Set up an Afaria Over-The-Air (OTA) Deployment Center to provide over-the-air Afaria Client deployment services to your current or planned Afaria Client device base.
Using Afarias over-the-air (OTA) deployment features is not a requirement in your Afaria environment. Afaria also supports deploying Afaria clients using companion PCs, networks, and client APIs. The Afaria Administrator Web application, which runs on a Windows IIS Web server, and the Afaria OTA Deployment Center application, which can run on either an IIS Web server or an Apache Web server, are typically on separate servers. However, the applications can coexist if they are configured to ensure that they do not share TCP ports.
The deployment center is a Web application that is a separate component from the Afaria server and Afaria Administrator. The Afaria Clients it deploys are Afaria Client software packages that you create using the Afaria Create Client Installation program. Afaria supports using the deployment center to deploy client packages to the following Afaria client types: BlackBerry Palm Windows Mobile Professional (including Windows CE) Windows Mobile Standard Symbian Windows These client types are distinguished from other Afaria client types that do not install Afaria Client software, such as iOS clients, or OMA DM clients. Afaria supports setting up the deployment center in the following Web server/OS environments: IIS Web server on a Windows OS Apache Web server on a Windows OS Apache Web server on a Linux OS
The following steps summarize the procedure for setting up an OTA Deployment Center:
1 2 3 4 5
Get prerequisite components from Sybase third-party component site. (Apache on Windows) Install Apache HTTP server component. Install PHP scripting engine component. Install PHP Concept Library Zip component. Install the OTA Deployment Center. (IIS) Install the deployment center by running the OTA Deployment Center setup program.
50
(Apache) Install the deployment center by copying OTA Deployment Center files from the Afaria product image.
Getting Prerequisite Components

Get prerequisite components that you need to prepare for setting up an OTA Deployment Center. The third-party components required for the deployment center are not included with the Afaria product, as they are not subject to unlicensed distribution. You must obtain the products and licenses directly from their issuing party.
1 2
Visit the Afaria third-party component dependency reference page, where you can find version information and download instructions for obtaining the required components. Obtain the components required for your Web server/OS environment: (Apache on Windows) Apache HTTP Server, a Web server PHP scripting engine PHPConcepts PclZip
51
Installing Apache HTTP Server

Install the Apache HTTP Server, a Web server, if you are setting up an OTA Deployment Center to operate using Apache on a Windows OS. If you are setting up a deployment center to operate using Apache on a Linux OS, the OS is likely to have Apache already installed. Complete the following procedures to install the Apache server:
1
Use the Windows installer (.msi) to install the server components. Choose the typical install option, supplying the specific network, server, and administrator email information for your particular server. A typical installation installs the binaries, configuration and data files under the C:\Program Files folder. If your Windows environment has this folder locked, it may be necessary for you to use the custom install option and install to a different location or modify the Apache configuration after the installation is complete. Refer to the Apache documentation for further details.
Secure the Apache server. Although there are many methods for securing the Apache server, a minimum recommendation is that you edit the Apache Configuration File (httpd.conf) to turn off the Indexes option for the directory root in order to prevent browsing. You can also access the file via the Windows Programs menu or you can locate it in the following path: C:\Program Files\Apache Group\Apache2\conf Place a dash (-) in front of the word Indexes from the root directorys configuration. See the last line in the following excerpt from the configuration file.
# # This should be changed to whatever you set DocumentRoot to. # <Directory "C:/Program Files/Apache Group/Apache2/htdocs"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.0/mod/core.html#options # for more information. # Options -Indexes FollowSymLinks
52
Installing PHP Scripting Engine

Install the PHP scripting engine if you are setting up an OTA Deployment Center in either a Windows or Linux environment. The engine becomes part of the deployment centers architecture.
1
Create a new folder named PHP under the following path: C:\Program Files
Extract the contents of the PHP distribution zip file to the new folder.
Ensure that the directory structure contained in the zip file is preserved during extraction.
Edit the Apache configuration file (httpd.conf) to add the following directives. LoadModule directives:
LoadModule php5_module "c:/Program Files/php/php5apache2.dll" PHPIniDir "C:/Program Files/PHP"
AddType directive:
AddType application/x-httpd-php .php
Create a folder named Includes under the following PHP installation folder path: C:\Program Files\PHP
5 6
Create a copy of file php.ini-recommended, from the root of the PHP installation folder, in the same folder. Rename the copy to php.ini.
53
Verify or edit php.ini settings as indicated in the following sample. Many of the required and recommended settings are already set. The convention of bracketed annotations (e.g. [Required]) is introduced only in this sample to provide supplemental information.
[Strongly recommended for security] set/verify register_globals=off [Required] set post_max_size = 32M [Required] set/verify magic_quotes_gpc=off [Suggest, security reasons*] set safe_mode=on Safe_mode_gid=on safe_mode_include_dir="C:\Program Files\PHP\Includes" [Recommended for security] set open_basedir="C:\Program Files\PHP\Includes" [Recommended for security] set file_uploads=off [Recommended for security] set allow_url_fopen=off [Required] set extension_dir="C:\Program Files\PHP\ext" [Required] add extension=php_soap.dll to extensions list [Required] set soap.wsdl_cache_enabled=1
* The setting set safe_mode=on requires additional settings if turned on. Please refer to the PHP documentation (including comments in php.ini) for more details.
54
Installing PHPConcepts PclZip

Install the PHPConcepts PclZip library if you are setting up an OTA Deployment Center in either a Windows or Linux enviroment. The library becomes part of the deployment centers architecture. The following procedures describe the installation process for a Windows operating system. You must adapt these procedures for a Linux environment.
1
Extract the contents of the PclZip distribution file into the following path: C:\Program Files\PHP\Includes This creates a new folder named pclzip<version>.
2 3
Rename the folder to pclzip. Open the PHP configuration file (php.ini) located in the following path: C:\Program Files\PHP
Locate the include_path setting that is associated with the Windows path setting. Modify it by removing the leading semi-colon and updating the path value to match your installations PclZip path, as shown in the following excerpt.
;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; ;;;;;;;;;;;;;;;;;;;;;;;;; ; UNIX: "/path1:/path2" ;include_path = ".:/php/includes" ; ; Windows: "\path1;\path2" include_path = ".;C:\Program Files\PHP\Includes\PclZip"
55
Installing the Deployment Center for an IIS Web Server

Install the OTA Deployment Center files if you are setting up an OTA Deployment Center for an IIS Web server in a Windows OS enviroment. Install the deployment center files by running a setup program located on the product image.
1
From the IIS Web server, locate the setup program on the Afaria product image: <product image>\OTADeploymentCenter\setup.exe
Launch the setup program and follow the wizard to completion.
Installing the Deployment Center for an Apache Web Server

Install the OTA Deployment Center files if you are setting up an OTA Deployment Center for an Apache Web server in either a Windows or Linux OS enviroment. Installing the OTA Deployment Center requires that you manually copy a collection of source files from the Afaria product image onto the Apache Web server and edit some configuration text files. The path locations in this procedure are for a Windows environment. Adapt these paths for a Linux environment. Complete the following procedures if you are installing the deployment center onto a new Web server, rather than integrating it with an existing one.
1
Under the PHP Includes folder (C:\Program Files\PHP\Includes), create the following folders: iAnywhere iAnywhere\OTA iAnywhere\OTA\download iAnywhere\OTA\management \Deployment Center\download\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\download\*.* \Deployment Center\management\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\management\*.* \Deployment Center\scripts\*.* to C:\Program Files\PHP\Includes\iAnywhere\OTA\*.*
Copy files from the Afaria product image to the new folders as follows:
Modify the include_path setting in the PHP configuration file C:\Program Files\PHP\php.ini to add the location of the deployment center scripts, as shown in the following excerpt.
include_path = ".;C:\Program Files\PHP\Includes\PclZip;C:\Program Files\PHP\Includes\iAnywhere\OTA"
This is the same setting modified for the PclZip installation.
56
Add the following excerpt to the end of the Apache configuration file (httpd.conf). The Apache configuration requires using the forward slash mark / in path statements for proper implementation.
### Afaria OTA Deployment Download and Management script directories # Set "Options -Indexes" and "DirectoryIndex" to allow # operation of script by access to directory only. Alias /Afaria/OTA "C:/Program Files/PHP/Includes/iAnywhere/OTA/download" <Directory "C:/Program Files/PHP/Includes/iAnywhere/OTA/download" > Options -Indexes DirectoryIndex OTADownload.php </Directory> Alias /Afaria/OTAmgmt "C:/Program Files/PHP/Includes/iAnywhere/OTA/management" <Directory "C:/Program Files/PHP/Includes/iAnywhere/OTA/management" > Options -Indexes </Directory>
Deployment Center File Types

The OTA Deployment Center uses the following types of source files for executing different roles in product implementation: PHP Scripts Executable scripts that do not change at runtime. Scripts exposed by the Web server These scripts are separated into two categories so that you can apply different access permissions to each. Download Contains one script file (OTADownload.php). This file is referenced by Afaria client download requests. It is suggested that you obfuscate it by making it the default (index) file for the directory. This location must be referenced by the Afaria server configuration properties. Management Contains the script that implements the Web services used by the Afaria server. This location must be referenced by the Afaria server configuration properties. Deployment center implementation scripts These scripts are included (used) by the download and management scripts. These scripts are not intended for direct access from the Web server. Direct access is reserved for the PHP script engine, as referenced by the PHP include_path directive.
Deployment Center data files Files that are modified by the system at runtime. Database files Contains information about the set of files published to the deployment center for download. This location is referenced by the deployment center configuration. Deployment files The set of files published for download to devices. This set of files is determined at runtime through the file publication management functions. There are two classifications of these files:
57
Indirectly accessed These files are not directly accessible from the Web server, but are served by the download scripts. This location is referenced by the deployment center configuration. Directly accessed These files are directly accessible from the Web server. They reside in sub-folders under the location of the download script.
Log files These files are written by the system for status, audit and debug logging. This location is referenced by the deployment center configuration.
Deployment Center File Locations

If needed to install and integrate OTA Deployment Center files with an existing Web server, rather than installing on a new Web server, you can modify file locations for the files that make up the deployment center. The following information describes the paths for the source files that make up the deployment center. Script locations: Implementation scripts <PHP include file root>/iAnywhere/OTA Download scripts <PHP include file root>/iAnywhere/OTA/download Management scripts <PHP include file root>/iAnywhere/OTA/management Database files <PHP include file root>/iAnywhere/OTA/database Deployment files, indirect access <PHP include file root>/iAnywhere/OTA/files Deployment files, direct access Automatically created folders under the location of the download scripts Log files <PHP include file root>/iAnywhere/OTA/logs
Data file locations, located under the implementation scripts directory
58
Setting Up Access Control for Microsoft Exchange

Afaria Access Control for Microsoft Exchange adds a layer of protection to your Microsoft Exchange Server. It filters Exchange ActiveSync handheld device synchronization requests by the default and exception policies you define. If you are licensed for Windows Mobile, Symbian, iOS, or Android:
1
Prepare clients according to type: (Android, Windows Mobile, Symbian clients) Connect clients to the Afaria server to report their Exchange identifying data. (iOS) Use the Data Views > Clients page to add iOS device definitions.
See Afaria Reference Manual | Platform > Creating Clients.

2
On the Afaria Administrator, use the Server Configuration > Properties > Exchange Access Config page to configure settings for the Afaria ISAPI filter that you will install on the Microsoft Exchange Servers IIS Server. See Afaria Reference Manual | Platform. > Server Configuration > Properties > Exchange Access Config.
On the IIS Server that services your enterprises Microsoft Exchange Server, use the Afaria setup menu > Additional Installations > Access Control for Exchange option to install the Afaria ISAPI filter. Customers who are upgrading can install the filter over the existing filter. The policies defined for known and unknown devices go into effect, and the devices you prepared are identified as known devices.
59
Afaria Access Control for Microsoft Exchange Architecture

The access control architecture includes integration points between the Microsoft Exchange environment and the Afaria environment. The Microsoft Exchange environment includes IIS and may be implemented as a multiserver environment. Access Control for Exchange Architecture ISAPI Filter Implementation
The diagram includes these items:

1
Afaria ISAPI filter when a client connects for a Microsoft ActiveSync request, queries the Afaria PowerShell service to determine whether to allow or block the current clients synchronization request. Afaria PowerShell service receives requests from the ISAPI filter and responds with the connecting clients allow or block synchronization instruction. According to the polling interval, queries the Afaria servers ISAPI filter listener to refresh the client and policy list. Afaria server service starts the Afaria ISAPI filter listener process. Afaria ISAPI filter listener receives requests from the Microsoft PowerShell service to refresh the client and policy list. Upon request, queries the Afaria database to compile a list of known devices and their associated policies and any defined policies for unknown devices.
3 4
60
Access Control for Exchange Architecture Implementation in a Nonmultitenancy Environment

1 2
Microsoft Exchange environment with ISAPI filter on the IIS Server allows or blocks Microsoft ActiveSync requests, as determined by the Afaria ISAPI filter. Afaria server with ISAPI filter listener according to the polling interval, receives requests from the Exchange environment and responds with the most current list of clients and associated synchronization policies.
61
Access Control for Exchange Architecture Implementation in a Multitenancy Environment

1
Tenant customer sites Microsoft Exchange environment with ISAPI filter on the IIS Server allows or blocks Microsoft ActiveSync requests, as determined by the Afaria ISAPI filter. According to the polling interval, queries the Afaria environment to refresh the client and policy list. (Optional) Relay server serves as a proxy for communication from tenant sites to hosting site. Hosting site hosts the primary Afaria server components behind the hosting organizations firewall. Afaria server with ISAPI filter listener upon request, responds to requests for a client and policy list from the Exchange environment with the most current list of clients and associated synchronization policies.
2 3 4
62
Installing the Afaria ISAPI Filter

Install and configure the ISAPI filter, with its supporting files and Afaria polling agent, on your Microsoft Exchange Servers IIS Server, to begin enforcing the access control policies you defined on the Afaria server. The Afaria Access Control for Microsoft Exchange feature requires that you install and register the Afaria ISAPI filter with its supporting files and Afaria polling agent onto the IIS Server that services your Exchange Server. ISAPI filters are DLL files that modify and leverage IIS functionality. The filter monitors all Exchange ActiveSync synchronization requests on behalf of Afaria, discarding any requests that do not meet your Afaria-defined policy for valid ActiveSync requests. The polling agent queries the Afaria server at defined intervals for a list of known devices and policies. If you are operating a multitenant environment and plan to use a relay server for connections from each tenants Microsoft Exchange environment, you must first implement the relay server for your Afaria server, regardless of whether you plan to use it for Afaria client connections. The filter, its supporting files, and the polling agent are removable.
1 2
Install the ISAPI filter on the IIS Server. Set the authentication method for the filter.
Installing the ISAPI Filter on the IIS Server Install the Afaria ISAPI filter on the Exchange Servers IIS Server as part of the Afaria Access Control for Microsoft Exchange feature implementation. Deliver this information to the IIS Server administrator for installation: ISAPI filter folder as provided on the Afaria product image. The folder contains the installation wizard. Choose the 32-bit or 64-bit folder to match the bit state of the IIS Servers operating system. Afaria server address or, if using the relay server as a proxy, the relay server address and farm ID, as configured for the Afaria server. Afaria configuration data, including protocol, port, and host name data, as defined on the Afaria Administrator > Server Configuration > Properties > Exchange Access Config page. On the IIS Server, store the ISAPI filter folder in a temporary directory on the IIS Server's local drive. Open the folder and run the setup executable to open the Afaria ISAPI Filter Setup program wizard. Follow the installation wizard until the installation is complete. The wizard includes these primary pages: Blocking Options defines whether to block or allow synchronization requests that are initiated from sources other than handheld ActiveSync clients.
1 2 3
63
Server Settings address for the Afaria server or, if using the relay server as a proxy, the relay server address and farm ID, as configured for the Afaria server. The farm ID you enter must match the Afaria servers relay server farm ID. The relay server implementation for the ISAPI filter uses the farm ID you enter and appends _IIS to the string. Your relay server configuration file must have corresponding farm IDs defined for the Afaria server and the Afaria servers ISAPI listener.
Specify Credentials specify the account name and password used to run the Afaria service on the Afaria server.
(Optional) To verify the filter properties, open the IIS Server's Default Web Site > Properties > ISAPI Filters tab. Look for filter name XSISAPI.DLL on the list. You can also verify that XSISAPI service is started in the Microsoft Management Console, which corresponds to process XSSrvAny.exe. The filters polling frequency back to the Afaria server is determined by Afaria server configuration settings for Exchange Access Control for the Exchange Servers unknown device policy.
Setting the Authentication Method for the ISAPI Filter Set the authentication method for the ISAPI filter to allow basic authentication for user names and passwords.
1 2
Open the Microsoft IIS Manager utility and navigate to <MicrosoftServerActiveSync> > Properties > Directory Security > Edit (Authentication and access control). Set authentication properties for ISAPI filter operations: Enable anonymous access disable Integrated Windows authentication disable Basic authentication enable
See Microsoft references for information about IIS Web Site authentication methods.
Files Installed With and Used By the ISAPI Filter The installed ISAPI filter adds files and logging to the Exchange Servers IIS Server. Installing the Afaria ISAPI filter adds the following files to your IIS Server: IIS path: <IIS_InstallDir> AfariaISAPIFilterUninstall.ini PipeServer.ps1 HTTPSClient.ps1 InstUtil.dll XSISAPI.dll
64
XSSrvAny.exe
IIS path: <IIS_InstallDir>\bin InstUtil.dll
Executable XSSrvAny.exe launches PipeServer.ps1 and HTTPSClient.ps1. In turn, each of these create an event in the Windows Application Event log. The entries indicate the start action and its log file location. Consider this example event log entry: XSISAPI PowerShell HTTPS Client was successfully started. Logfile is C:\Documents and Settings\Default User\Application Data\XSISAPI\XSISAPIHTTPS_Log.txt. The Afaria ISAPI filter operations use and generate the following files on your IIS Server. The path for the files is described in the PiPServer.ps1 and HTTPSClient.ps1 startup Windows Application Event log entries. Devices.xml list of Afaria Exchange access control clients known and managed by Afaria synchronization policies. (Temporary file) NewDevices.xml iOS or Android devices that have connected to the Exchange Server for synchronization and need to send a unique Exchange identifying value to the Afaria server. HTTPS.txt log file for HTTPSClient.ps1 operations. List of connections from IIS Server by the Afaria polling agent, back to the Afaria server to refresh the Devices.xml list. Pipe.txt log file for PipeServer.ps1 operations. List of client synchronization requests indicating synchronization status 1 for allowed or 0 for denied.
65
Setting Up the SMS Gateway

Afaria uses the SMS gatewayfor devices and Afaria clients that support SMS messagingto deliver outbound notifications, remote wipe commands, Open Mobile Alliance (OMA) provisioning and server notification messages, and any other Afaria communication that is addressed for SMS routing.
1 2 3
Start the setup program. On the setup menu, click Additional Installations and Resources > Access SMS Gateway Resources. On the Afaria third-party component dependency reference page, find version information and download instructions for obtaining the Cygwin components.
SMS gateway operations use only some of the components of the Cygwin product. Therefore, the installation steps describe a manual process for installing only the component that the SMS gateway requires, rather than using the Cygwin installation program.
Use a decompression utility to decompress the BZ2 download packages from within the <download folder> folder. For each installation package file with file extension BZ2, the decompression yields one extracted file with file extension tar. Extract the decompressed packages into the same download folder. The file extraction creates the following folders: <download folder>\usr folder contains additional, nested folders. <download folder>\etc folder contents are not used for SMS gateway operations.
Modify the Afaria Server environment to include the required libraries and tools by either 1) including <download folder>\usr\bin in the default system path or by 2) copying the following <download folder>\usr\bin files into the Afaria folder <AfariaInstallation>\bin\SMSGateway: cygcrypto-0.9.8.dll cygiconv-2.dll cygssl-0.9.8.dll cygwin1.dll cygxml2-2.dll cygz.dll The default value for <AfariaInstallation> is C:\Program Files\Afaria.
Using Afaria Administrator, configure the SMS gateway interface to define connectivity between the Afaria Server that is hosting the SMS gateway and the Afaria SMS gateway. See Afaria Reference Manual | Platform > Server Configuration > Server Configuration Properties > SMS Gateway > SMS Gateway Interface.
Using Afaria Administrator, define at least one SMSC Server Configuration entity. See Afaria Reference Manual | Platform > Server Configuration > Server Configuration Properties > SMS Gateway > SMS Server Configuration.
66
SMS Gateway Third-Party Dependencies

The Afaria solution leverages the Cygwin product libraries and tools and other open source tools to implement its SMS gateway. The Cygwin product is a set of libraries and tools developed by Cygnus Solutions that creates a Unix-emulating environment on a Windows operating system. Due to the nature of open source licensing practices, cited in the GNU General Public License, the libraries and tools cannot be distributed, installed, or licensed as part of a commercial product delivery. Therefore, it is your responsibility to obtain and install the required items on behalf of your organization to enable the SMS gateway operations in the Afaria solution.
67
Setting Up iOS Features

Install, configure, and validate the basic iOS implementation before adding optional functionality. Basic implementation is required for all iOS operations. Optional iOS features add security enhancements.
Installing the iOS Provisioning Server (Basic)

Install the iOS provisioning server without payload signing attributes as a required component for the iOS basic implementation. Record values as you complete the installation; you will need them for subsequent configuration tasks.
1 2 3
Start the setup program. On the setup menu, click Additional Installations and Resources > iOS Installations > iOS Provisioning Server. On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server. The provisioning server uses these credentials to contact the Afaria server for database credentials.
On the Specify Virtual Directory Names page, define these settings: Unauthorized virtual directory name user-defined name, populated with a default value. This is the first directory on the provisioning server to which clients connect. Authorized virtual directory name user-defined name, populated with a default value. This is the directory on the provisioning server that clients connect to after they are authenticated to complete the payload provisioning process.
On the Specify Server Address page, define the address for the Afaria server. The Afaria iOS provisioning server uses this address to reach the Afaria server.
6 7
On the Specify Certificates for Signing page, unselect Sign Messages to disable the feature; it is not part of the basic iOS basic implementation. Follow the setup wizard to completion. The iOS provisioning server installation is now complete. The installation process also populates the iOS Server configuration page with corresponding values.
(Upgrade) If you installed the iOS provisioning server on a server other than the Afaria Administrator server, some files and services from the original iOS provisioning server are now abandoned on the Afaria Administrator server. On the Afaria Administrator server, disable unwanted services from running by opening the Microsoft Component Services utility, and then stopping and disabling service AfariaIPhoneServer.
68
Configuring the Certificate Authority

Configure a Microsoft certificate authority (CA) as a required component for the iOS basic implementation. Consult these essential references before and during configuration: Afaria system requirements to learn about requirements for your CAs operating system and connectivity within the Afaria iOS environment. Microsoft documentation resources to learn how to set up your CA to comply with the Afaria system requirements, including disabling SCEP password prompting, and to complete the configuration. See your Microsoft documentation. After meeting operating system and connectivity requirements:
1
On the CA server, add the Active Directory Certificate Services role with these attributes: Role services Certification Authority Certificate Authority Web Enrollment, including the related Web Server IIS role services Network Device Enrollment Service
Setup type Enterprise CA type Root CA Private key create a new private key Cryptography Cryptographic key provider RSA Microsoft Software Key Storage Provider Key character length 2048 Hash algorithm SHA1

2 3
CA name common name and suffix are user-defined; record the common name for subsequent Afaria server property configuration Validity period user-defined Certificate database user-defined
Add the Web Server IIS role with at least the default role services. Add the Network Device Enrollment Service with these attributes: User account specify a user account that is also a member of the domain and the local IIS_IUSRS group Registration Authority (RA) information user-defined; do not use any special characters Cryptography
69
Signature key cryptography service provider (CSP) Microsoft Strong Cryptographic Provider Key character length 2048 Encryption key CSP Microsoft Strong Cryptographic Provider Key character length 2048
(Windows Server 2008) After adding the required roles, disable per-certificate password prompts for connecting devices by updating the CA's SCEP password registry key: Key HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword Type DWORD Value change from 1 to 0
Verify that the CA has the Microsoft SCEP configured with password prompting disabled. Verify this requirement by using a Web browser or the CA servers IIS Manager to open the SCEP enrollment page. If using IIS Manager, the path is Default Web Site > CertSrv > mscep > right-click Browse. Successful verification displays a certificate thumbprint. Failed verification displays a temporary password.
See System Requirements and Release Notes on page 9.
70
Optional iOS Implementation Features

iOS optional functionality adds security enhancements, but also increases the complexity of installation, configuration, and troubleshooting. Install, configure, and validate the basic iOS implementation before adding optional functionality. Optional features include: Signed iOS configuration payloads Afaria Simple Certificate Enrollment Protocol (SCEP) plug-in module installed on the certificate authority (CA) to filter certificate requests Secure connections between the iOS provisioning server and the clients Secure connections between the CA and the clients Using the relay server as a proxy between clients and the CA or the iOS provisioning servers
Implement optional functionality as your requirements dictate. See also: Adding Payload Signing to the Basic iOS Implementation on page 72 Installing the Afaria SCEP Plug-In Module on the CA on page 75 Configuring Secure iOS Connections on page 76 Configuring the Relay Server for iOS Connections on page 77
71
Adding Payload Signing to the Basic iOS Implementation

Add payload signing as part of the optional iOS implementation to ensure that payloads are not tampered with during delivery, and to ensure that users cannot remove configuration policies from their devices. The payload signing implementation relies on importing root and signing certificates onto the Afaria iOS provisioning server. You can either use certificates from a known certificate authority (CA), such as VeriSign or Thawte, or operate as a self-signing entity and use certificates from your own CA server. Install, configure, and verify the iOS basic implementation. To implement payload signing:
1 2 3 4 5
Obtain a root certificate from a known certificate authority or export it from your own CA server. Obtain a signing certificate from the same CA source as your root CA. Copy both certificates to a location accessible from the iOS provisioning server. Reinstall the iOS provisioning server to enable signing and specify certificate information. Use the Afaria Administrator application to open Server Configuration > Properties > iOS Server page to configure the settings for your signing implementation. See Afaria Reference Manual | Platform > Properties > iOS Server.
6 7
Restart the Afaria server. Provision one or more test devices and observe the user interface to determine whether the certificate is untrusted or trusted. The expected result, after a possible user authentication prompt, is either: Signed, but untrusted the Apple Profile Service dialog is exposed to the user and indicates status Not Verified. Signed and trusted the Apple Profile Service dialog is exposed to the user and indicates status Verified.
If untrusted and you require trust, deploy a root certificate to the client that matches the root certificate that the provisioning server is using and retry the provisioning.
Afaria iOS Signing Certificate Requirements

The Afaria iOS signing certificate must be an IP Security (IPSec) certificate in the x.509 standard and meet criteria to support Afaria iOS features, regardless of whether you get your
72
certificate from a known certificate authority (CA) or if you operate as a self-signing entity and create your own signing certificate. The IPSec signing certificate must meet these property requirements: Subject define the subject name as type common name. General define the common name CN and record the value for future use. Extensions add all available options for key usage and extended key (also known as application policies) usage. Private key select key size 1024 and make the private key exportable. The key type is allowed for exchanges.
Exporting the Root Certificate from Your CA

To operate as a self-signing entity for signing your iOS provisioning payloads, export the root certificate from your CA to be imported into your Afaria iOS provisioning server.
1 2 3 4 5
On your Windows CA server, open the Microsoft Management Console. Use the Add/Remove snap-in feature to add the Certificates snap-in to manage certificates for a computer account. From the Console Root pane, navigate the Certificates node > Trusted Root > Certificates to display the certificate list. Select the root certificate for your CA server and launch the Certificate Export wizard. Complete the wizard, meeting this requirement: Certificate format Distinguished Encoding Rules (DER) encoded binary X.509 (.cer)
Creating a Signing Certificate on Your CA

To operate as a self-signing entity for signing your iOS provisioning payloads, create a signing certificate on your CA and export it to be imported into your Afaria iOS provisioning server.
1 2 3 4 5
On your Windows CA server, open the Microsoft Management Console. Use the Add/Remove snap-in feature to add the Certificates snap-in to manage certificates for a computer account. From the Console Root pane, navigate the Certificates node > Personal > Certificates to display the certificate list. Launch the task for requesting a new certificate. Define the certificate properties to meet the Afaria iOS signing certificate requirements.
73
Exporting the Signing Certificate from Your CA

To operate as a self-signing entity for signing your iOS provisioning payloads, export the signing certificate from your CA for import into your Afaria iOS provisioning server.
1 2 3 4 5
On your Windows CA server, open the Microsoft Management Console. Use the Add/Remove snap-in feature to add the Certificates snap-in to manage certificates for a computer account. From the Console Root pane, navigate the Certificates node > Personal > Certificates to display the certificate list. Select the signing certificate you created for iOS provisioning and launch the Certificate Export wizard. Complete the wizard, meeting these requirements: Certificate format Personal Information Exchange PKCS #12 (.pfx) Certificate inclusion include all certificates in the certification path
Reinstalling Afaria iOS Provisioning Server for Signing

Reinstall the iOS provisioning server with payload signing attributes as part of the optional payload signing implementation. Obtain a root certificate and a signing certificate, and copy both certificates to a location that is accessible from the iOS provisioning server.
1 2 3 4
On the iOS provisioning server, close all running programs. On the setup menu, click Additional Installations and Resources > iOS Installations > iOS Provisioning Server. On the Specify Credentials page, Specify Virtual Directory Names, and Specify Server Address pages, accept the values you previously defined for the basic implementation. On the Specify Certificates for Signing page, select Sign Messages to enable the feature and define the signing attributes: CA Certificate Filename the path and file name for the root certificate. Signing Certificate Filename the path and file name for the signing certificate. Signing Certificate Password enter and confirm the password associated with signing certificate.
Follow the setup wizard to completion. The iOS provisioning server installation is now complete. Data is validated at the conclusion of the setup program as the process attempts to install the certificate. If you encounter errors at this point, retry the installation.
74
Installing the Afaria SCEP Plug-In Module on the CA

Install the Afaria Simple Certificate Enrollment Protocol (SCEP) plug-in module on the certificate authority (CA) to filter certificate requests. The Afaria SCEP module is an optional plug-in for your CA that enhances security by prohibiting unknown devices from obtaining an enrollment certificate. If you do not use the Afaria SCEP, you can use any device that provides a correctly formatted request for an enrollment certificate.
1 2 3 4 5 6 7
On the CA server, start the setup program. On the setup menu, click Additional Installations and Resources > iOS Installations > Install Afaria SCEP Plug-In Module. On the setup program, enter database type and credentials. On the setup program, choose an installation path and install the Afaria SCEP policy module. On the CA, open Active Directory Certificate Services (ADCS). On your CA node, select the Properties and the Policy Module tab, then select XSSCEPPolicyModule.dll. Restart ADCS. (Optional, recommended) Power off, and then on, the CA server. Due to a known issue reported for the Microsoft CA restart ADCS operations, Sybase recommends turning the power off, and then on, to correctly enable the Afaria SCEP module. After startup, the CA issues certificates only to the devices that are defined in the Afaria database.
75
Configuring Secure iOS Connections

Configure secure connections between your clients and your CA server, or between your clients and your Afaria iOS provisioning server when you require using SSL to encrypt the connection data. Configuring secure connections is part of the optional iOS implementation.
1 2
On either the Afaria iOS provisioning server or the CA server, use the IIS Certificate wizard to import a certificate and associate it with the port that clients use for a connection. Use the IIS Manager utility to enable SSL for the appropriate Web sites virtual directory. For the provisioning server, the directory designated for unauthorized connections is the appropriate directory.
On the Afaria Administrator server, use the Afaria Administrator application to open Server Configuration > Properties > iOS Server page to configure the settings to use HTTPS on connections.
See Afaria Reference Manual | Platform > Properties > iOS Server.
76
Configuring the Relay Server for iOS Connections

Optionally, set up relay server to increase your enterprise network security. A relay server operates as a proxy for HTTP and HTTPS sessions between an Afaria server component, either the certificate authority (CA) server or the Afaria iOS provisioning server, and its clients. Clients connect to the relay server instead of directly to the Afaria server component.
1
Set up the relay server, including: Preparing the foundation for relay server operations by copying files and creating application pools. Edit the relay server configuration file [options] and [relay_server] sections for basic operations. Edit the relay server configuration file [backend_farm] and [backend_server] sections for the component server of interest, either the CA server or the provisioning server.
On the Afaria Administrator server, use the Afaria Administrator application Server Configuration > Properties > iOS Server page to configure the Afaria servers settings for using the relay server. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server > Provisioning Server, Certificate Authority, and Relay Server for complete instructions.
For each component server, copy an instance of the relay server outbound enabler (RSOE) to launch for relay server operations. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server > Configuring the Relay Server for iOS Components for complete instructions.
See Setting Up the Relay Server on page 79.
77
Setting Up OMA DM Features
Setting Up OMA DM Features

Install the OMA DM server as a required component for managing OMA DM clients.
1 2 3 4 5
Start the setup program. On the setup menu, click Additional Installations and Resources > Install OMA DM Server. On the Welcome window, click Next. On the Directory Selection window, select the installation path, server ID, and virtual directory. Click Install. The wait time for installation may be lengthy; possibly in excess of 10 minutes.
See also: Afaria Reference Manual | Platform > Properties > OMA DM Server Afaria Reference Manual | Platform > Creating Clients > OMA DM Clients
78
Setting Up the Relay Server

Using Afarias relay server is not a requirement in your Afaria environment; it is bundled with the Afaria product on the product installation image as an optional component. Refer to Afaria Reference Manual | Platform > What is Afaria? > About the Relay server to learn more about the relay server, including a diagram and discussion of its components.
Set up an optional relay server to increase your enterprise network security. A relay server operates as a proxy for HTTP and HTTPS sessions between the Afaria server, or one of its supported server components, and its clients. Using a relay server increases network security by moving the session connection point from within your firewall to a location outside of your firewall, to your Demilitarized Zone (DMZ). Afaria supports using the relay server with any of the following Afaria server components: Afaria server OMA DM server Provisioning server for iOS features Certificate Authority server for iOS features
The following steps summarize the procedure for installing and configuring a relay server on an IIS Server:
1 2 3 4 5 6 7
Register the IIS user account on the planned relay server with ASP.NET. Copy relay server files from the Afaria product image to your planned relay server. Create IIS application pools on the relay server. Update the relay servers IIS configuration. Create a relay server configuration file to reside on the relay server. Update your Afaria configuration settings to begin using the relay server. Make your first connection to the relay server.
Use your Microsoft IIS Server documentation as a reference for additional IIS procedures.
Registering the IIS User Account with ASP.NET

Register the IIS user account on the planned relay server with ASP.NET to assign it appropriate rights for Afaria operations. Afaria operations use the relay servers IIS built-in user account named IUSR_<MachineName> for gaining anonymous access to Internet Information Services. This account must meet the following criteria: have access to the IIS metabase and other directories used by IIS.NET be a member of the IIS built-in user group IIS_WPG
79
Navigate to the relay server command path: C:\Windows\Microsoft.Net\Framework\<Version> If you are operating your IIS Server with more than one version of ASP.Net, choose the version that you are using to run your Web site.
Execute the ASP.NET registration command on the relay server with the grant access option: Command: aspnet_regiis.exe -ga IUSR_<MachineName> The command is an example of the registration command with the grant access option that is valid for ASP.Net 2.0.5. The command for your version of ASP.Net may differ.
Refer to your Microsoft IIS Server and ASP.NET product documentation for more information about the IIS user and group and using the registration command.
Copying Relay Server Files

Copy relay server files from the Afaria product image to the planned relay server to make them available for use. The Afaria product image includes a folder of files that you need for setting up your relay server on an IIS Server.
1
Locate the files on the Afaria product image: Copy folder: <product image>\relay_server\ias_relay_server
Copy folder ias_relay_server from the product image to the IIS Servers home directory (e.g. C:\Inetpub\wwwroot). Ensure that you copy the folder, rather than just the files in the folder.
Creating IIS Application Pools

Use your relay servers IIS Manager utility to create IIS application pools and application directories for the Afaria Server Web service and the Afaria Client Web service that runs on the relay server. After creating the pools and the application directories, associate each Web service with their respective application pool. The following steps summarize the procedure for creating application pools:
1 2 3
Create a server application pool and associated application directory. Create a client application pool and associated application directory. Add Afaria Web service extensions to the IIS Server.
Refer to your Microsoft IIS Server documentation for additional IIS information.
80
Creating a Server Application Pool

Create a server application pool and an associated application directory on the planned relay server to process requests from an Afaria server.
1 2
Create an application pool with a user-defined Pool ID. Assign the pool the following properties: Recycling > Recycle worker processes (minutes) Disabled Performance > Idle timeout Disabled Performance > Request queue limit Disabled Performance > Web garden A minimum of twice the number of servers making requests Health > Enable pinging Disabled Health > Enable rapid-fail protection Disabled
3 4
Select Web Sites in the IIS Managers left pane and navigate to Default Web Site > ias_relay_server > Server > right-click Properties > Directory. Create an application directory with the following attributes: Execute permissions Scripts and executables Application pool Use the Pool ID that you created for the application pool
Creating a Client Application Pool

Create a client application pool and an associated application directory on the planned relay server to process requests from an Afaria client.
1 2
Create an application pool with a user-defined Pool ID. Assign the pool the following properties: Recycling > Recycle worker processes (minutes) Disabled Performance > Idle timeout Disabled Performance > Request queue limit Disabled Performance > Web garden At least twice the number of servers making requests, but no less than 5 You may want to increase the value if client connections are frequently dropped or if clients experience bad throughput during sessions. Health > Enable pinging Disabled Health > Enable rapid-fail protection Disabled
3 4
Select Web Sites in the IIS Managers left pane and navigate to Default Web Site > ias_relay_server > Client > right-click Properties > Directory. Create an application directory with the following attributes: Execute permissions Scripts and executables
81
Application pool Use the Pool ID that you created for the application pool
Adding Web Service Extensions to IIS

Add Web service extensions to identify and allow the server and client relay server requests.
1 2
In the IIS Managers left pane, select Web Service Extensions. Add the Afaria Server Web service as a valid extension with the following attributes: Extension name User-defined name for the server extension Required files ias_relay_server\server\rs_server.dll Set extension status to Allowed Enabled Extension name User-defined name for the client extension Required files ias_relay_server\client\rs_client.dll Set extension status to Allowed Enabled
Add the Afaria Client Web service as a valid extension with the following attributes:
Updating the Relay Servers IIS Configuration

Run the relay servers IIS adsutil.vbs script to define the IIS Server client request buffer handling for the application pool.
1
Locate the adsutil.vbs script. Script location example: C:\Inetpub\AdminScripts
Run the script to set the UploadReadAheadSize property. Script command: cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 0 The command returns the current value of the uploadreadaheadsize variable.
Editing the Relay Server Configuration

A sample configuration file is provided with the relay server files that you copied from your Afaria product image. Edit the sample with settings for your environment.
1
Locate the sample configuration file. Location: <wwwroot location>\ias_relay_server\server\rs.config
82
Using a text editor, edit the configuration files [options] and [relay_server] sections for the relay servers basic operations.
The configuration file must contain only ASCII characters.
For each server component that you want relay server to support, edit or create sections [backend_farm] and [backend_server] with settings for your environment, according to the configuration file definitions. Start the relay server.
See also: Configuration File Definitions for Basic Operations on page 85 Configuration File Definitions to Support Server Components on page 86 Starting and Restarting the Relay Server on page 90
83
Sample configuration file rs.config part 1 of 2 1
#------------------------------------# Relay server #------------------------------------[options] start = auto verbosity = 1 # Note: When auto start is used, the default log file is # <tmpdir>\ias_relay_server_host.log while rshost is active. # The value of <tmpdir> is filled using the following environment variables # searched in this order: # SATMP # TMP # TMPDIR # TEMP #-------------------# Relay server #-------------------[relay_server] enable = yes host = 123.45.6.78 http_port = 80 https_port = 443 description = Machine #1 in RS farm
1. The actual file is a single, continuous file. The file is represented here in two parts for the sake of page formatting.
84
Sample configuration file rs.config part 2 of 2 1
#--------------# Backend farms # # Notice that the case sensitive farmID must match the farmID set in the Afaria Administrator's # relay server configuration page. Default value in Afaria is farmID=Afaria. #--------------[backend_farm] enable = yes id = farmID description = Afaria Farm #----------------# Backend servers # # id must match regKey HKLM\Software\Afaria\Afaria\Server\TransmitterId # on your afaria server #----------------[backend_server] enable = yes farm = farmID id = sc token = zyyxpj22p
Configuration File Definitions for Basic Operations

The relay server configuration file rs.config consists of several sections, each indicated by the [section] convention. Define sections [options] and [relay_server] for basic relay server operations. The remaining sections are for supported server components. Restart the relay server engine (rshost.exe) and its supporting components any time you make changes to the configuration file. Section: [options] General options for relay server operations. start Set value to auto to automatically start the relay server engine when an Afaria server connects successfully. verbosity Controls the level of logging. Logs always include errors. Log levels 1-5 always include warnings. 0 No logging
1. The actual file is a single, continuous file. The file is represented here in two parts for the sake of page formatting.
85
1 Session-level logging 2 Request-level logging 3 Packet-level logging, terse 4 Packet-level logging, verbose 5 Transport-level logging
Section: [relay_server] Identifies your relay server and its respective ports for HTTP and HTTPS communications. The relay servers ports must match IIS Servers ports. enable Controls whether the relay server operates. yes Operate. no Do not operate.
host Relay servers own IP address or host name. http_port Set value to match the relay servers IIS setting for HTTP communications. https_port Set value to match the relay servers IIS setting for SSL communications. description User-defined description.
See Starting and Restarting the Relay Server on page 90.
Configuration File Definitions to Support Server Components

The relay server configuration file rs.config consists of several sections, each indicated by the [section] convention. To configure the relay server to support any of the Afaria operations, such as Afaria server or OMA DM server, define sections [backend_farm] and [backend_server] for each of those server components. Restart the relay server engine (rshost.exe) and its supporting components any time you make changes to the configuration file. Afaria supports using the relay server with any of the following Afaria server components: Afaria server OMA DM server Provisioning server for iOS features Certificate Authority server for iOS features
Section: [backend_farm] Creates a single, case-sensitive identifier for a component server environment, regardless of whether you are operating a single component server or a farm of component servers. enable Controls whether the farm operates. yes Operate.
86
no Do not operate.
id User-defined, case-sensitive value for identifying a server farm. Each farm in the relay server configuration file must have a unique ID. description User-defined description. client_security Specifies the secure communication protocol requirement for clients connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value. on HTTPS is required. off Default. HTTPS is not required; HTTP and HTTPS are both valid connection protocol.
backend_security Specifies the secure communication protocol requirement for component servers connecting to the relay server. This is an optional section that is not represented in the sample configuration file. Omitting the section results in the relay server enforcing the default value. on HTTPS is required. off Default. HTTPS is not required; HTTP and HTTPS are both valid connection protocol.
Section: [backend_server] Identifies a single component server to the relay server. You must have one [backend_server] section for each component server in your component server environment. enable Controls whether the server operates. yes Operate. no Do not operate.
Farm The case-sensitive farm value is the same for each server. Use the same farm ID as from section [backend_farm]. ID The ID value is unique for each server in the farm. If a server hosts more than one supported server component, then all server IDs on the host must be unique. For example, if a server hosts both an Afaria server and an OMA DM server, and both are defined in separate farms in the relay server configuration file, then the server IDs used for the two server components must be must be different.
Token The token is any string that you create. Use the same token value for each server in a farm.
Configuration for Afaria Server Defining the relay server configuration file to support an Afaria environment requires that you define some matching values in both the configuration file and the Afaria environment. Consider
87
the following items when defining the relay server configuration file [backend_farm] and [backend_server] sections. Section: [backend_farm] id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the farm ID you define on the Afaria Administrator > Server Configuration > Properties > Relay Server page. On the Relay Server page, the default value is afaria. Section: [backend_server] ID Define the server ID value to match the TransmitterID value defined in each Afaria servers registry key HKLM\Software\Afaria\Afaria\Server\TransmitterId. Token Farm token you define must match the farm token you define on the Afaria Administrator > Server Configuration > Properties > Relay Server page.
Configuration for OMA DM Server Defining the relay server configuration file to support one or more OMA DM servers requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the Farm ID you define on the Afaria Administrator > Server Configuration > Properties > OMA DM Server page.
Configuration for Access Control for Exchange Features ISAPI Filter Defining the relay server configuration file to support one or more ISAPI filters requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id Syntax is <AfariaServerFarmID>-IS, where AfariaServerFarmID is the same farm ID you define for the Afaria server in the relay server configuration file, and -IS is a suffix. For example, if you define your Afaria server farm ID as Afariafarm, then define your ISAPI filters farm ID as Afariafarm-IS to match.
Configuration for iOS Provisioning Server Defining the relay server configuration file to support one or more iOS Provisioning servers requires that you define some matching values in both the configuration file and the Afaria
88
environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the RS Farm ID for PS you define on the Afaria Administrator > Server Configuration > Properties > iOS Server page.
Configuration for iOS Certificate Authority Server Defining the relay server configuration file to support one or more iOS Certificate Authority servers requires that you define some matching values in both the configuration file and the Afaria environment. Consider the following item when defining the relay server configuration file [backend_farm] section. id User-defined, case-sensitive value for identifying the server farm. The farm ID you define must match the RS Farm ID for CA you define on the Afaria Administrator > Server Configuration > Properties > iOS Server page.
See Starting and Restarting the Relay Server on page 90.
Configuration File Implementation Examples

The following environment models indicate the structure of the relay server configuration file needed to match different sample Afaria server environments. Single Afaria server In an environment that includes a single relay server supporting a single Afaria server, the configuration file includes one instance of each section: [options] one instance [relay_server] one instance [backend_farm] one instance [backend_server] one instance
Afaria server farm with four servers In an environment that includes a single relay server supporting an Afaria server farm with four servers, the configuration file includes the following sections: [options] one instance [relay_server] one instance [backend_farm] one instance [backend_server] four instances
89
Single Afaria server plus an Afaria server farm with four servers In an environment that includes a single relay server supporting a single Afaria server and an Afaria server farm with four servers, the configuration file includes the following sections: [options] one instance [relay_server] one instance [backend_farm] two instances [backend_server] five instances
Starting and Restarting the Relay Server

Restart the relay server any time the relay server is already running and you change the relay server configuration file or have another reason to restart the relay server engine. Restarting the relay server updates its configuration, as per the configuration file, without restarting IIS and without causing any disruption to other IIS applications. The relay server starts automatically when configured to do so as part of its basic operations. The automatic start feature is defined when you use the start=auto attribute in the relay servers configuration file [Options] section. The IIS Server must be running before the automatic start feature can take effect.
1
On a command line, use DOS command Change Directory to navigate to the Afaria Server Web service extensions folder, typically IIS path inetpub\wwwroot\ias_relay_server\server: CD <WebServiceFolder>
Issue the rshost restart command: rshost.exe -u -qc -f rs.config
You may want to create a batch file for the commands and store it in a convenient location in your relay server environment. See Configuration File Definitions for Basic Operations on page 85.
Documentation Resources for Updating Afaria Configuration

For Afaria-related server components and clients, update your Afaria environments configuration settings to begin using the relay server. You need to align several configuration settings with values in the relay servers configuration file. It may be helpful to have a copy of the file for reference. Refer to Afaria Reference Manual | Platform for more information about configuring Afaria server components and clients to work with the relay server.
90
Planning for Adding a Relay Server to Your Afaria Environment

Adding a relay server to your Afaria environment required product development changes to both server-side settings and operations and client-side settings and operations. Therefore, using a relay server has Afaria client upgrade implications. It is recommended that you upgrade all clients prior to starting relay server operations.
1 2 3 4
Upgrade the Afaria server. Connect clients to the server to receive a client update. Begin relay server operations. Configure clients for relay server operation using one of the following methods: New client installations Create new client installation packages with relay server information as the seed data. Install and connect new clients. Update client configuration Update client configuration settings with relay server information. Connect clients.
Configuring Upgraded Clients with Relay Server Data

For customers that are licensed for Session Manager and have upgraded clients that require a configuration update to seed relay server connection data, you can automate the client update. Consider the following upgrade strategy, as described for Windows Mobile clients:
1 2 3 4 5
Configure the relay server information on your upgraded Afaria server. Create a new client package with relay server seed data. Install the client on test device. Use Session Manager to extract the values for the clients relay server data registry keys HKLM\Software\Afaria\Afaria\Client\Config RSFarmID and RSInfo. Use Session Manager to update the client configuration data for upgraded devices that need the relay server data.
Relay Server Bypass

Even after your relay server is operational, the Afaria server continues to support direct client connections. If it is appropriate for your environment, you may allow clients to continue to connect to the Afaria server directly. Afaria clients are still able to initiate connections directly with the Afaria server, bypassing the relay server altogether.
91
Installing Afaria 6.6 Feature Pack 1

Install Afaria 6.6 Feature Pack 1(FP1) to install new functionality to your existing Afaria 6.6 installation. Validate your Afaria 6.6 operations before installing FP1. FP1 includes these enhancements: Afaria Access Control for Microsoft Exchange iOS management Application management for iOS and Android clients
Follow the installation that match the features and clients for which you are licensed. If you are licensed for all the enhancements, then follow a combination of the installations.
Installing FP1 for Afaria Access Control for Microsoft Exchange If you are licensed for Windows Mobile, Symbian, iOS, or Android, install the access control update.
1
(iOS) Before upgrading, in the Afaria Administrator application, select Server Configuration > Properties > Exchange Access Policy to review your current default policy and time frame settings. Stop Afaria services on your server or farm. On your Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key. On your Afaria server, starting with your master server if you have a farm, run the FP1 server setup program. On the Afaria Administrator server, run the FP1 administrator setup program. Start Afaria services on your server or farm. Revisit Server Configuration > Properties > Exchange Access Policy page to review your upgraded iOS settings and new policy options. Change any settings as is appropriate for your requirements. Prepare clients according to type. (iOS) Use Data Views > Clients to change the access control policy for any iOS devices as is appropriate for your requirements. (Android, Symbian, Windows Mobile) Connect clients to the Afaria server to report their Exchange identifying data.
2 3
4 5 6 7
92
On the IIS server that services your enterprises Microsoft Exchange Server, install the Afaria ISAPI filter. Customers who are upgrading can install the filter over the existing filter. The policies defined for known and unknown devices go into effect, and the devices you prepared are identified as known devices.
Installing FP1 for iOS Management If you are licensed for iOS clients, install the iOS Mobile Device Management (MDM) management update. iOS MDM management requires that you obtain an Apple iOS Developer Program enterprise certificate (.p12) with push notification privileges, an Apple Worldwide Developer Relations Certification (WWDR) intermediate certificate (.cer), and an Apple root certificate (.cer), as licensed to your enterprise by Apple.
1
On the Afaria server, using either the Microsoft Management Console with the Certificates snap in for the local computer, or the Afaria Install Apple Push Certificate utility (<ServerInstallationDirectory>\Bin\InstallPushCert.exe), install the Apple certificates in the appropriate certificate stores. Apple root certificate trusted root store Apple Worldwide Developer Relations Certification (WWDR) intermediate certificate trusted root store Apple iOS Developer Program enterprise certificate personal store If using the Afaria utility, and the iOS provisioning server is installed on the same server, and you want to enable the possibility of signing iOS provisioning payloads with your Apple enterprise certificate, select Modify ACL to modify the Windows Access Control List to grant read-only privileges to iOS components that require it.
2 3
Stop Afaria services on your server or farm. On the Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key. On the Afaria server, starting with the master server if you have a farm, run the FP1 server setup program. On the Afaria Administrator server, run the FP1 administrator setup program. On the Afaria iOS provisioning server, run the FP1 provisioning server setup program. Start Afaria services on the server or farm. In the Afaria Administrator application, select Server Configuration > Properties > iOS Notification page to add your Apple iOS Developer Program certificate. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Server.
4 5 6 7 8
In the Afaria Administrator application, select Server Configuration > Properties > iOS Server page to verify or modify the addresses for using the Apple Push Notification Service
93
for notifications and feedback services, as provided by Apple as part of the iOS Developer Program. See Afaria Reference Manual | Platform > Server Configuration > Properties > iOS Notification.
10 Restart the Afaria server. 11 In the Afaria Administrator application, select Data Views > Clients, right-click an iOS client
and select Outbound notification > Provision device to force a device to connect and receive a management policy. The device user must allow the policy to install to begin MDM management. Verify management status by reviewing the new client inventory data added as a result of MDM management.
Installing FP1 for Application Management If you are licensed for iOS or Android clients, install the application management update. For more robust iOS application management, install FP1 for iOS management prior to installing FP1 for application management.
1
If you created any portal application packages in Afaria 6.6 before installing FP1, open the Afaria Administrator application and select Administration > Policies and Profiles page and delete any packages you created. Packages created prior to installing FP1 are rendered invalid when you install FP1.
2 3
Stop Afaria services on your server or farm. On your Afaria server, starting with your master server if you have a farm, launch Afaria 6.6 server setup to update the license key. Re-run the server installation to update settings related to the new key. On your Afaria server, starting with your master server if you have a farm, run the FP1 server setup program. On the Afaria Administrator server, run the FP1 administrator setup program. On your planned portal server, run the FP1 portal package server setup program, recording the servers virtual directory and address. Start Afaria services on your server or farm. In the Afaria Administrator application, select Server Configuration > Properties > Portal Package Server page to verify the portal package servers virtual directory and address. See Afaria Reference Manual | Platform > Server Configuration > Properties > Portal Package Server.
4 5 6 7 8
Restart the Afaria server.
94
See also: Afaria Reference Manual | Platform > Administration > Portal Packages > Managing Packages. Afaria Reference Manual | Platform > Administration > Portal Packages > Package Category Application.
Installing the Portal Package Server

Install the portal package server as the primary component for portal package features. Record values as you complete the installation; you will need them for subsequent configuration tasks.
1
On the planned portal package server, close all running programs. You can install the portal package server on the same server as the Afaria Administrator server or on a separate server.
2 3 4
Locate the Afaria portal package server setup file (.exe), distributed with the feature pack. On the Directory Selection page, accept the default location or click Browse to navigate to a new location. On the Specify Credentials page, specify the account name and password used to run the Afaria service on the Afaria server. The provisioning server uses these credentials to contact the Afaria server for database credentials.
On the Specify Virtual Directory Name page, define these settings: Virtual directory name user-defined name, populated with a default value. Use Windows Authentication select to use Windows Integrated Authentication for client connections. If selected, users are prompted for credentials when they use the package features on their device.
On the Specify Server Address page, define the address for the Afaria server. The portal package server uses this address to reach the Afaria server.
Follow the setup wizard to completion. The portal package server installation is now complete. The installation process also populates the Portal Package Server configuration page with corresponding values.
95
Upgrading Android Clients from 6.6 to 6.6 FP1

Uninstall the Android client prior to installing the Afaria Client application (Afaria agent) from the Android Market.
1 2 3
On the device, deactivate the privilege associated with the Afaria application (Settings > Location and Security > Device Administrators). Uninstall the Afaria agent. Navigate to the Android Market and install the Afaria Client application (Afaria agent).
96
Create Client Installation Wizard
Create Client Installation Wizard

Some Afaria client types require an installed Afaria agent to support Afaria management. After the agent is installed on the device, the device can connect to the Afaria server. Use the Afaria Create Client Installation program to create Afaria agent installation packages and then use one of Afarias deployment methods to get the agent onto the computing device for installation. The Afaria Create Client Installation program is located on your Afaria server. Start > Programs > Afaria > Afaria Create Client Install
This wizard guides you through creating an Afaria agent installation package. Based on client type and your environment, you can choose different options that allow you to deploy the agent via a companion PC, a network, or the OTA Deployment Center.
97
Updating Passwords and Accounts on the Afaria Server
Updating Passwords and Accounts on the Afaria Server

Without reinstalling the Afaria server, change the user account and password associated with the Afaria server service, or the user password associated with the database, to meet your requirements.
1 2
Close all Afaria programs. Using a command line, run the setup program (setup) with parameters to change the service account or password. The setup program accepts parameters in any order. Available command-line parameters: -Maintenance required for all commands -ServiceAccount=name required if changing the user account and password associated with the Afaria server service -ServicePassword=password required if changing the user account and password associated with the Afaria server service -DatabasePassword=password required if changing the database user account password
Allow program to run to completion. The Afaria setup program runs silently. It may take several minutes to complete. You may not know when it has finished unless you watch the task list or run the setup from a batch file. To check for errors, see C:\silent.log.
Afaria Server Command-Line Password Update Syntax Examples The Afaria command-line setup program accepts parameters in any order. Examples: setup -Maintenance -DatabasePassword=password setup -Maintenance -ServiceAccount=name -ServicePassword=password setup -Maintenance -DatabasePassword=password -ServicePassword=password2
98
Removing Afaria Components
Removing Afaria Components

Remove Afaria software components as needed by using the Microsoft Add/Remove Programs utility. If you are removing the Afaria server, any instance of Afaria Administrator or Afaria Windows client is removed at the same time. Removing the Afaria server deletes the software component and all defined channels but preserves the Afaria database. The OTA Deployment Center is an independent component that you need to remove separately from the Afaria software components.
1 2 3
Close all Afaria programs. Stop all Afaria-related services. Using the Microsoft Add/Remove Programs utility, select the component and remove it. The most common reasons for the step to fail are: An Afaria program or related service is still running. Stop the programs and related services and retry the step. Windows Explorer or some other program is using at the Afaria installation directory. Close all programs, then restart the machine and retry the step. Afaria system folders are shared with client users. Remove the share from the folder and run the retry the step.
If removing a replication server from a server farm environment, delete the servers entry from the farms A_SERVER database table. If you do not delete this server from the database, it continues to appear in the channel replication window in Afaria Administrator as an available server, even though it is no longer an eligible target for replication.
99

Installing Afaria

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Installing Afaria

Загружено:

Авторское право:

Доступные форматы

Installing Afaria 6.

Installing Afaria 6.6 FP1

Installing Afaria 6.6 FP1

Installing Afaria 6.6 FP1

Installing Afaria 6.6 FP1

Afaria Installation and Maintenance

Afaria Installation and Maintenance

Revisions for Document Update Version 6.60.01

Afaria Support Services

Sybase Social Media Channels

Installing Afaria 6.6 FP1

Installing Afaria 6.6 FP1

Installing Afaria 6.6 FP1

System Requirements and Release Notes

System Requirements and Release Notes

Installing Afaria 6.6 FP1

Installing a Simplified Environment

Complete an express install.

Installing Afaria 6.6 FP1

Installing a Standard Environment

Installing Afaria 6.6 FP1

Preparing to Install Afaria

Preparing to Install Afaria

Creating User Accounts for Installing and Operating Afaria

The Afaria Database

Installing Afaria 6.6 FP1

Preparing to Install Afaria

Refer to the system requirements for complete database support information.

Estimating Your Database Size Requirements

Creating a SQL Anywhere Database and User

Installing Afaria 6.6 FP1

Preparing to Install Afaria

For details, see your SQL Anywhere documentation on http://sybooks.sybase.com.

Configuring the SQL Anywhere Database for Operations

For details, see your SQL Anywhere documentation on http://sybooks.sybase.com.

Installing Afaria 6.6 FP1

Preparing to Install Afaria

Creating a SQL Server Database and User

For details, see your SQL Server documentation.

Installing Afaria 6.6 FP1

Preparing to Install Afaria

Installing Afaria 6.6 FP1

Preparing to Install Afaria

Configuring the SQL Server Database for Operations

For details, see your SQL Server documentation.

Setting Up Oracle for Afaria

Installing Afaria 6.6 FP1

Preparing for Upgrading the Platform

Preparing for Upgrading the Platform

Installing Afaria 6.6 FP1

Preparing for Upgrading the Platform

Preparing for Discontinued Server/Client Operations

Installing Afaria 6.6 FP1

Preparing for Upgrading the Platform

Preparing for Continued iOS Device Management

Installing Afaria 6.6 FP1

Preparing for Upgrading the Platform

Preparing for Continued Exchange Access Control Operations

Installing Afaria 6.6 FP1

Preparing for Upgrading the Platform

Preparing for Continued SSL Communications

Installing Afaria 6.6 FP1

Preparing for Upgrading the Platform