Quick Start Guide

Legacy Mobile Device Management (MDM) service retiral: November 1, 2021.

From November 1st, any Android, Windows Mobile or legacy MDM iOS devices (these are iOS devices that are not enrolled in Apple Device Management(ADM) service) will no longer be supported. You are not required to take action on these devices as we will automatically retire the service.

Go to the Mobile Device Management page for further information.

This change does not affect iOS devices enrolled in ourApple Device Management(ADM) service) which will continue to be supported and offers numerous advanced management options not available in the legacy MDM service.

  1. View the defaults or create a custom Device Management Policy for Android or Windows Phone from Settings > Mobile Device Management > Device Policies. Apple device use configuration profiles controlled through Apple Device Management.
  2. Select the Mobile Device Management Policy for all Android and Windows Phone mobile devices down to the Site level in Settings > Mobile Device Management > Settings. Apple devices configuration profiles are uploaded and applied through the Apple Device Management framwork.
  3. Send the provisioning details to the device’s owner by completing the required information in the New Mobile Device button under the Mobile Devices tab.
  4. The device holder simply follows the link and instructions contained in the provisioning email or SMS to install MobileGuardian which registers itself on the Dashboard.
  5. After the device is activated, summary information about the device will be available in the Mobile DevicesSummary tab. Further information will be uploaded at regular intervals depending on the policy being used by the device. As well as view information on the monitored mobile devices, users can send Commands to the selected device via the Mobile Device actions menu, with this menu also available when right-clicking on the device.

Mobile Device Management Policies (Android and Windows Phone)

In addition to the default policies we have included the option to create custom policies via Settings > Mobile Device Management > Device Polices when logged on to the Dashboard under an account with advanced privileges, for example Superuser or (non-Classic) Administrator level access, a login with the required Mobile Device Management permissions enabled or the Agent Key (where Dashboard access is enabled

To create a custom policy click New, select the Operating System the policy is to apply to then enter the Policy Name (for identification), ownership type (BYOD or COD) and choose the required management options. Please note, different options are available depending upon the selected Operating System and ownership type.

From Dashboard 2020.12.15 Mobile Device Management Apple Policies were replaced by Apple Device Management Apple Configuration Profiles. This allows you to upload and deploy your own custom configuration policies to Apple devices through the Apple Device Management framwork.

mdm_settings_drop mdm_policy_dialog

Highlight the custom policy then click Edit to amend and where a policy is no longer required it can be removed from the Dashboard by choosing the custom policy and Delete. Please note a policy cannot be deleted where it is currently in use by a mobile device.

Select the Mobile Device Protection Policies (Android and Windows Phone)

Mobile Device Management policies can be applied from the all Mobile Device level down to individual Clients and Sites via the Mobile Device Management Policy Settings dialog available from Settings > Mobile Device Management > Settings.

Simply decide on the hierarchical level the policy is to be applied at - all Mobile Devices, Client or Sites then from the Company Owned and Employee Owned sections choose the required policy to apply for each Operating System.

By default the device will inherit its policy from the Site it is registered against, which inherits the policy from the associated Client, which in turn inherits the policy set for all Mobile Devices.

Apple devices use configuration profiles which are uploaded and applied through the Apple Device Management framework.

mdm_policy_settings_main

Monitor a Mobile Device

To place a device under Mobile Device Management, open the Mobile Devices tab on the Dashboard and click add_iconAdd Mobile Device or from the File menu, Add Device, Add Mobile Device.

Single Device

Complete the Add Mobile Device dialog information under the Single Device tab to identify the mobile device on the Dashboard as well as provision the device itself.

Client

Choose the Client the device is to be associated with

Site

Select the corresponding Site

Device Name

Enter the name of the device for identification in the Dashboard

Holder’s Name

Populate the First and Last name of the device’s holder.

Email Address

Enter an email address accessible from the device to receive the provisioning information.

Phone Number

Complete the phone number of the device to receive the provisioning information where applicable (non-mandatory).

Send SMS

Send an SMS to the above number with the provisioning information.

Please note, from Dashboard 6.44, the leading 0 in the SMS number must be replaced with the country code for all countries.

BYOD

Tick this box to indicate the device is employee owned and use the relevant BYOD policy

Multiple Devices

Rather than enter the above information on a device by device basis when adding a large number of devices, a CSV file can be created and uploaded to the Dashboard containing details of up to five hundred mobile devices.

The mobile device details must be in the following format:

client_name, site_name, device_name, first_name, last_name, email_address, phone_number, send_sms (0/1), byod (0/1)

Notes:

The client_name and site_name must match the corresponding entries in the Dashboard and only one occurrence of a device name is permitted per site. The send_sms and byod fields can be either (0)no or (1) yes. phone_number is the only non-mandatory field and as such this field may be left blank, for example ...johndoe@android.it,,0,1

The following provides an example of a CSV file containing the device information in the required format:

Retros,Berlin,Android Nexus 4,John,Doe,johnd@android.it,771234567890,1,1

Retros,Berlin,Android Nexus 7,John,Doe,johnd@android.it,,0,1

Retros,Munich,Android Nexus 4,Jane,Doe,janedoe@android.it,119876543210,1,0

After populating the file it is uploaded to the Dashboard via the Multiple Devices tab of the Add Mobile Device dialog. Click the Browse button, navigate to the file's location, select the file and click OK to upload.

Once uploaded the information contained in the file is displayed in the dialog with any problem elements highlighted, for example invalid or duplicate entries. Please note, any elements in an error state must be resolved before the CSV file can be processed and this can be achieved by amending the information in the CSV file then re-uploading.

Whether adding single or multiple devices click OK to accept the entered details and generate the provisioning email and SMS (where configured) containing the information required to register the mobile device.

Mobile Devices can be added and managed by administrator and above users.

Provision the device

After receiving the registration notification the user simply opens the provisioning page from their mobile device. From here they select the version of MobileGuardian that corresponds to their device platform (Apple iOS, Google Android or Microsoft Windows Phone 8.1^). Installs MobileGuardian, entering any details (including the Activation Code for Google Android along with the MobileGuardian territory server for Microsoft Windows Phone 8.1^), accepting the permissions and performing any actions when prompted. For example install the MDM profile on Apple devices.

Once complete the device will appear in the Mobile Devices tab of the Dashboard under the selected Client and Site with the relevant policy applied.

Please be aware that the device will remain in the Unregistered Devices section of the Dashboard until the MobileGuardian is installed and at this point it will move under the Active Devices section.

Where the user failed to receive the provisioning notification this can be resent by selecting the device in the north pane of the Dashboard and from the Mobile Device drop-down Resend Provisioning then select whether to Resend E-Mail of Resend SMS.

If the user accidentally deleted the MobileGuardian app or it was not installed as part of the activation process aCommand can be issued from the Dashboard to retroactively install the app on Apple iOS and Microsoft Windows Phone 8.1^

The contents of the provisioning information email may be amended in the Dashboard via Mail Templates, Mobile Device Provisioning.

Apple introduced changes to its MDM configuration settings in iOS 13. When upgrading to iOS 13 on a device already running the non- Apple Device Management version of MDM, iOS forcibly removes MobileGuardian from the device. To continue monitoring, re-enroll MDM on the device to apply the Apple Device Management version.

Apple Devices: Apple Device Management (from Dashboard 2020.12.15)

From Dashboard 2020.12.15, Mobile Device Management for Apple devices uses the Apple Device Management infrastructure to handle communication between the Dashboard and newly installed Apple devices, including pushing configuration profiles. Before provisioning an Apple device in Mobile Device Management, please ensure the Apple Push Notification Certificate is setup in Apple Device Management. Where an Apple device successfully enrolls in Mobile Device Management using the Apple Device Management framework, a green tick box displays against the device in the Mobile Devices section of the Dashboard.

Manage the Mobile Device

As well as view information on the monitored mobile devices, users can managed the selected device via the Mobile Device actions menu, which menu is also available when right-clicking on the device.

This drop-down includes the ability to issue Commands such as Update Device Information, Lock Device, Clear Passcode, Remote Wipe Device etc as well as Edit or Delete the device from the Dashboard.

To issue a command, highlight the target device in the Mobile Devices section of the Dashboard and select the required action from the Commands drop-down.

Once a command is sent to a device it is recorded in the Commands tab of the Dashboard.

mdm_commands_drop

Deploy custom Apple Apple Configuration Profiles

The Dashboard includes the ability to upload and deploy custom Apple Apple Configuration Profiles through Apple Device Management to Apple devices that were newly enrolled in Mobile Device Management after the release of Dashboard 2020.12.15.

To apply Apple configuration profiles to a device, select the device in the north pane of the Dashboard and from Mobile Device drop-down or right-click context menu choose Manage Profiles. From here you can choose to Install, Remove or View Apple configuration profiles.

Mobile Device Management Dashboard Information

The Dashboard has a number of tabs containing information returned from the monitored device, depending on the selected management options.

Tab

Information




Summary

An overview of the device including its Operating System, hardware and network information along with the MobileGuardian Supported Features.

clip1163

android_icon

clip0464

Apps

Lists the currently installed apps including its Name, Package Name and Version.

clip1163

android_icon

Commands

Contains information on any action sent to the device.

clip1163

android_icon

clip0464

Data Usage

Charts the mobile data usage since the installation of the app and includes the facility to view this data monthly or yearly as well as download the chart in a variety of formats including PNG, JPEG, PDF or SVC vector image.

android_icon

Calls

Lists all incoming and outgoing calls made to or from the mobile device since the installation of the app. Reports the destination or originator Phone Number, Start Time, End Time and Duration.

android_icon

Messages

Lists all incoming and outgoing SMS messages sent to or from the mobile device since the installation of the app. Reports if it was Incoming or Outgoing, the destination or originator Phone Number and the Time the message was received.

android_icon

Location

Displays the current location of the device via OpenStreetMaps.

android_icon

clip0464

mdm_device_summary

Show on Map

There may be times when you wish to track multiple devices rather than single devices on a map. Multi-select the desired devices in the north pane of the Dashboard then from the Mobile Devices drop-down (or right click on one of the selection) choose Show on Map. Each device is represented by a peg with the map automatically updating to reflect the location when the device next reports back to the Dashboard. Click on a peg to display the device name, then click on its name to return more detailed information.

mdm_show_on_map_map2

Mobile Device Management Reports

Three Mobile Device Management Reports are available:

Report

Notes

Mobile Device Inventory Report

Information on each monitored mobile device such as the owner, hardware MobileGuardian policy and enabled features

ios_icon

android_icon

windows_icon

Mobile Device Usage Report

Contains details on the device and owner along with the number of Calls, Messages, Data Usage etc.


android_icon


Location History Report

This not only includes details of the device but its Latitude, Longitude, level of Accuracy, time of the reading as well as the option to show the location on a map.

android_icon

windows_icon

mdm_invetory_report

Edit the Mobile Device

The device details including the Site, Device Name, ownership, policy etc can be amended by selecting the required device in the north pane of the Dashboard and from the Mobile Device go to Edit Mobile Device, this options is also available when right-clicking on the device.

Delete the Mobile Device from the Dashboard

Where the device is no longer to be managed it can removed from the Dashboard. Simply select the required device in the north pane of the Dashboard, go to the Mobile Device menu and Delete Mobile Device, this option is also available when right-clicking on the device. Please enter the password of the account you have logged into the Dashboard under to confirm deletion and remove the association between the mobile device and Dashboard.

To fully remove MDM from an Apple Device it may be necessary for the user to delete the MDM profile. On the device go to Settings, General, Device Management. Select and remove the MDM profile, entering the authentication information when required.

iOS Firewall Requirements

For Apple iOS we utilize the device’s in-built MDM framework APIs which are controlled via the Apple Push Notification Service (APNS) and to permit the APNS traffic when connecting via Wi-Fi the following TCP ports must be open in the firewall:

Port

Service or Protocol Name

Notes

1640

Certificate Enrollment Server

Used for over the air Managed Device Management enrolment

2195

Apple Push Notification Service

Used to send notifications to the APNs

2196

Apple Push Notification Service

Used by the APNs feedback service

2197 Apple Push Notification Service Used to send notifications to the APNS

5223

Apple Push Notification Service

Used by devices to communicate to APNS and receive push notifications

443

Secure Sockets Layer (HTTPS)

Used as a fallback where devices are unable to communicate with APNS on port 5223

The device may be unable to use APNS if there is a proxy server on the Wi-Fi network as APNS requires a direct and persistent connection from device to server.

^ Windows 10 is currently unsupported.