Escolar Documentos
Profissional Documentos
Cultura Documentos
Administrators Guide
October 2013
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2013 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
6
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Guide conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Contacting Centrify Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1
What is Centrify for Samsung KNOX? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Benefits of Centrify for Samsung KNOX for your organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Using Centrify for Samsung KNOX on mobile devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Accessing web-based single sign-on applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Accessing native mobile applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Using the MyCentrify web-based user portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Administering Centrify for Samsung KNOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using Centrify for Samsung KNOX administrator tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Providing Centrify for Samsung KNOX to your users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Setting up SSO for Centrify for Samsung KNOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Setting up Centrify for Samsung KNOX MCM and MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 2
21
Specifying the right to modify permissions in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Installing the Centrify cloud proxy server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Configuring the cloud proxy server for MDM and MCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Completing the Cloud Proxy Server Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Configuring the Centrify cloud service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Enrolling the mobile device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Creating the KNOX Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Installing Centrify for KNOX from Samsung KNOX Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Preparing a device that uses MDM/MCM from another vendor. . . . . . . . . . . . . . . . . . . . . . . . 30 Preparing a device that uses Centrify for Samsung KNOX for MDM/MCM . . . . . . . . . . . . . . 30
Chapter 3
34
Configuring the Centrify cloud service for single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Deploying applications from Cloud Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Selecting web applications using MyCentrify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Deploying mobile applications that use SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuring the Centrify cloud service for MDM/MCM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Managing mobile devices and Knox containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Sending commands to devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Generating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Self-service management with MyCentrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Intended audience
This guide contains information for system and network administrators who are responsible for managing access to network resources, particularly access to internal network resources from outside mobile devices or access to outside web services provided by other organizations. These administrators should know how to use Microsoft Windows tools, especially these components: Active Directory Users and Computers and Group Policy Management Editor.
Guide conventions
This guide uses the following conventions: Fixed-width font presents sample code, program names or output, file names, and commands that you type at the command line. When italicized, the fixed-width font indicates variables.
Bold text emphasizes commands, buttons, or user interface text, and introduces new terms. Italics present book titles and emphasize specific words or terms. Terms enclosed in [braces] in command syntax are optional.
supported platforms, and any additional information, specific to this release, that may not be included in other documentation.
Cloud Manager help provides task-oriented information for administrators who need to modify applications, manage roles and users, and configure settings in the Cloud Manager. To open, click Help from the user account drop-down list in the Cloud Manager administrator web portal MyCentrify help provides task-oriented information for users to navigate and launch their deployed applications, view their activity, manage their own mobile devices, and specify some Active Directory settings. To open, click Help from the user account drop-down list in the MyCentrify user web portal. Application configuration help provides specific details for configuring each kind of application that Centrify provides, including individual SaaS applications for SSO, userpassword applications, and mobile applications. To open, click the Help link from an application in the App Catalog. The Centrify User Suite Overview, Installation, and Configuration Guide provides more in-depth explanations of the installation procedures and the group policies.
Chapter 1
Inside the Samsung KNOX container, you can provide your users single sign-on access (SSO) to mobile and web applications that you control and manage.You can configure webbased Software as a Service (SaaS) applications, such as Salesforce or Office 365. You can also deploy mobile applications that are specially configured to work inside of the KNOX container. Some mobile container applications can also be configured for SSO so that your users dont have to log in separately when launching them. Centrify for Samsung KNOX securely connects with your existing Active Directory infrastructure but does not copy any Active Directory information into the cloud. You install the Centrify cloud proxy server on a computer in your network, and the cloud proxy server handles the communication between Active Directory and the Centrify cloud service. Along with the cloud proxy server, you can also install Centrify extensions to Active Directory Users and Computers (ADUC) and Group Policy Management Editor (GPME). These extensions provide an easy way for you to manage your users mobile devices and KNOX containers.
The cloud proxy server connects to the Centrify cloud service, which provides the backend services for all of the features of the Centrify for Samsung KNOX solution, including the Cloud Manager and MyCentrify web portals.
You log in to the Cloud Manager administrative web portal to add, configure, and deploy both web and mobile applications. You can assign Active Directory users and groups to roles and deploy applications to specified roles. You can also use Cloud Manager to manage devices and containers, create custom reports, and manage your system-wide settings. Your users log in to the MyCentrify user web portal to manage their own devices, launch web applications, and view their activity and Active Directory account information.
10
get their work done. Both you and your users experience greater peace of mind as users no longer store passwords in non-secure locations or use passwords that are easy to remember but dont meet corporate security guidelines.
Reduce your helpdesk burden: As much as 40% of your helpdesk call volume can be related to password or account reset issues. Your users lose productivity and IT experiences greater frustration and unnecessary expense. Centrify for Samsung KNOX can quickly lower costs by improving user productivity and reducing web-based account or account reset calls by as much as 95%. Improve security: According to the 2012 Verizon Data Breach Investigations Report, five of the top six attack vectors were focused on users passwordsaccounting for the majority of data breaches. Centrify for Samsung KNOX reduces or eliminates the use of passwords for authenticating to users applications through the use of secure single signon. When necessary, you can remove access to all applications by simply disabling a users Active Directory account. There are fewer passwords and password storage locations, making the Samsung mobile device more secure. Improve IT monitoring and control: Every web and mobile application in use by your organization represents yet another silo of identity and access control challenges. By controlling access to SaaS applications through Centrify for Samsung KNOX and centrally authenticating users with their Active Directory identity, you gain valuable information about which applications users are using. When a person leaves your organization, you can easily and quickly shut down their access to all of your businesscritical SaaS applications. Reduce compliance overhead: With easy and thorough reporting on who in your organization has access to which SaaS and mobile applications, and what they did with that access privilege, you can more quickly show compliance with regulations and industry best practicesfreeing up expensive IT resources to deliver on projects that are important to the prosperity of your organization. Leverage existing infrastructure and skill sets: By providing the industry's tightest integration of SaaS and mobile applications with Microsoft Active Directory, you can more cost-effectively deliver single sign-on and security because you can leverage existing technology, skill sets, and processes associated with your Active Directory environment.
11
mobile applications are assigned to that user. The trust provides the user with single sign-on access to the assigned applications. Users can access two different kinds of applications inside of the KNOX container: web applications and mobile applications.
12
13
Users can add applications that require a user name and password, and applications that use a bookmark by going to the MyApps page and clicking Get More Apps. These web applications display on the MyApps page in the MyCentrify web portal and also in the Centrify for KNOX mobile application.
14
Deploying mobile applications Managing roles for users and groups Configuring application settings for specific users, when needed Managing Samsung KNOX devices and containers Administering general settings and policies, such as authentication, session timeout, intranet IP range, and so forth Reporting on all cloud service information
You can configure group policies specific to Samsung KNOX containers and Samsung SAFE devices using the Centrify for Samsung KNOX Group Policy Management Editor (GPME) extension.
15
With the Centrify for Samsung KNOX Active Directory Users and Computers (ADUC) extension, you can perform management tasks for devices, call logs, and Samsung KNOX containers.
You use the Cloud Proxy Server Configuration tool to manage the cloud proxy server and its connection between your Active Directory and the Centrify cloud service.
16
Centrify for KNOX application: Available from the Samsung KNOX Apps Store. With this application, which is installed in the Samsung KNOX container, your users log in to this application and get single sign-on access to the web and mobile applications that you deploy to their Samsung KNOX container.
If youre using Centrify for Samsung KNOX for SSO only and not for MDM/MCM (for creating and managing the container and managing the devices), your users need just the Centrify for KNOX application.
17
For access to the MyCentrify user web portal, you provide your users the MyCentrify URL and the information they need to log in.
18
You can deploy SAML applications or applications that use just a user name and password for authenticationor even a simple bookmark of an application URL. The process of deploying mobile applications is similar to deploying web applications. You provide either the custom APK binary file or the package name of the application in Google Play or the KNOX Apps Store. For mobile applications that are configured for SSO inside the KNOX container, you also deploy a matching web SAML application to provide the SSO functionality for the mobile application (because SAML authentication is needed for SSO and mobile applications dont use SAML directly).
19
20
Chapter 2
Configuring the Centrify cloud service on page 26 Enrolling the mobile device on page 27 Creating the KNOX Container on page 28 Installing Centrify for KNOX from Samsung KNOX Apps on page 30
To install and configure the Centrify for Samsung KNOX solution, you need to have the following:
Requirement Windows computer Description You install the cloud proxy server on this computer. This computer must be joined to your Active Directory domain controller and meet the following specifications: Windows Server 2008 R2 (64-bit) or Windows 7 (32-bit or 64-bit) Internet access Microsoft .NET version 4.0 or later; if it isnt already installed, the Centrify installer installs it for you. The account you use to install the cloud proxy server must have administrator privileges on the domain controller. In addition, you must have Active Directory Modify Permissions ability (see Specifying the right to modify permissions in Active Directory on page 22) You install the applications that are part of the Centrify for Samsung KNOX solution from Google Play and the Samsung KNOX Apps store on this device. The device must have at least Wi-Fi network connection to the internet.
Administrator access to your Active Directory domain controller and modify permissions Samsung KNOX-capable device
21
Requirement The Samsung KNOX license key and licenses for mobile devices
Description You need one license key per Centrify cloud service account in order to implement the Centrify for Samsung KNOX solution and a license for each mobile device you want to enroll. If you don't have the license key and licenses yet, contact Samsung or your mobile service provider. You and your users need to be able to access the web portals that help you manage devices and applications (Cloud Manager for you and MyCentrify for users). The Cloud Manager and MyCentrify web portals for this version of Centrify for Samsung KNOX have been confirmed for use on the following web browsers: Internet Explorer: version 9 and 10 on Windows 7 and Windows 2008R2 server Mozilla Firefox: version 23 and later Google Chrome: version 28 and later Apple Safari: version 6 You and your users need to have Google Play accounts so that they can download the free Centrify cloud service application to their devices. Your users need accounts to be able to download the free Centrify for KNOX application from the Samsung KNOX Apps store. If you do not already have an account, you can create one just before you install Centrify for KNOX.
A supported browser
click OK.
6 In the Permission entry dialog box, click Allow for Modify Permissions and click OK.
The Permissions tab of the Advanced Security Settings dialog box lists the user or group to which you have given the right to modify permissions.
22
7 In the Advanced Security Settings dialog box, click OK. 8 In the Properties dialog box, click OK.
Server Installer zip file appropriate for your system: Cloud-Mgmt-Suite-<version>win32.exe for 32-bit Windows or Cloud-Mgmt-Suite-<version>-win64.exe for 64bit Windows. If Microsoft .NET version 4.0 or later is not already installed on your computer, the installer installs it for you. Restart your computer after .NET installation and then you can continue the installation of the Cloud Management Suite.
2 Click Next on the welcome screen. Then, indicate your agreement to the licensing terms
The components you install depend upon whether you are using Centrify for Samsung KNOX for SSO alone or for MDM/MCM, with or without SSO. If you are using Centrify for Samsung KNOX as your MDM and MCM solution, select all of the components (the default) for installation. If you are using another vendors MDM and MCM solution, deselect the Centrify for Mobile Tools option (circled in the picture).
23
Click Next.
5 In the Ready to Install Cloud Management Suite page, click Install to perform the
installation.
6 When the installation completes, keep Run Connection Test selected and click
Finish. A connection test runs to verify that your server is connected properly for the proxy server to run. If any errors are returned, you must fix them before continuing.
7 Click Close to close the Connection Test dialog box, then the Cloud Proxy Server
3 In the Web Proxy Configuration page, if your network has a web proxy server that you
want to use for the connection to the Centrify cloud service, select the Use a web proxy server... option. If you do not have a web proxy server, click Next without selecting the option; the cloud proxy server wont connect through the web proxy server. If you selected the web proxy option, enter the following information: Address The URL of the web proxy server. Port The port number to use to connect to the web proxy server.
4 Click Next to continue.
24
The Configuring Mobile Use screen appears. Your selection in this screen depends upon whether you are using Centrify for Samsung KNOX or another vendor for mobile device and container management.
5 Do one of the following:
If you are using Centrify for Samsung KNOX as your MDM and MCM solution, keep the Configure Centrify for Mobile option selected and continue to Configuring the cloud proxy server for MDM and MCM. If you are using another vendors MDM and MCM solution, deselect the Configure Centrify for Mobile option and continue to Completing the Cloud Proxy Server Configuration Wizard.
This procedure is for organizations using Centrify for Samsung KNOX for MDM/ MCM. If you are using another an MDM solution from another vendor, skip this procedure. When you select the Configure Centrify for Mobile option, the configuration wizard displays the following screen:
In this procedure you define who can enroll mobile devicesonly the members of the Active Directory groups you define in this dialog box can enroll devicesand the containers for the mobile device objects. The Active Directory group and organizational unit are always specified as a pair. By default, the user group is Domain Users and the organizational unit is Computers. When you select the default, any user with an account in the Active Directory Users container can enroll mobile devices, and the Centrify cloud service adds the device record to the Computers container when the user enrolls the device. You can specify additional groups and containers pairings at any time using the Cloud Proxy Server Configuration program.
25
To configure the cloud proxy server: 1 In the Configuring Mobile use window, click Next to accept the default Users and
Computers containers.
2 Click OK when finished. 3 Click Next.
Cloud Manager prompts you for a user name and password. Enter your full Active Directory login name, including UPN suffix (for example, first.last@domain.com) and password. Cloud Manager displays the Apps page. This page is blank until you deploy applications.
3 Select the Settings page. 4 Under Settings, select Samsung KNOX Settings.
26
5 Click the Samsung KNOX License Key field and enter the license key. 6 Click Save.
install this application? and touch Install. This initiates the installation process. When its complete the screen displays, Application Installed.
5 Touch Open to proceed with enrolling your device. 6 Enter your user name and password.
Enter your full Active Directory login name, including UPN suffix (for example, first.last@domain.com) and password.
7 Centrify displays the screen, Active Device Administrator? 8 Read through the text and touch Activate.
and understood, and I agree to, all of the terms and conditions above and then touch Confirm. After you enroll the device, Centrify continues in the background to load applications deployed to the device and install group policies. This may take a minute or two.
27
You can send the Create container command from Cloud Manager that lets the user create the KNOX container as soon as the command is received on the device.
After the device is enabled, the device owner uses the Centrify application running on the phone to create the KNOX container. In this procedure, you send the Create container command from Cloud Manager. In the subsequent procedure, you create the KNOX container from the device.
To enable the user to create a KNOX container: 1 If Cloud Manager is not open, enter the URL https://cloud.centrify.com/manage in
Cloud Manager sends the command immediately to the device. The create message appears briefly in the Navigation tray in the device.
To create the container: 1 If the Centrify mobile application is not open on your device, open Apps and touch
Centrify.
2 Touch the Setup tab. 3 Under SETUP REQUIRED, touch Create KNOX container.
28
acknowledge that I have read and understood, and I agree to, all of the terms and conditions above; then touch Confirm. This initiates downloading the KNOX container software. This can take a minute or two. When the download is complete, Centrify displays the KNOX container Terms and conditions and Privacy Policy screen
5 Read through the Terms and conditions and Privacy Policy, select I accept all the
This initiates KNOX container creation. KNOX container creation takes a minute or so to complete.
7 Touch Launch.
The Centrify cloud service confirms that you have a license available.
8 Enter your password and touch Done.
You are now inside the KNOX container. The applications shown in the container are different from the applications displayed on your home screens. You manage applications that appear outside and inside the container for example, Email, Phone, and Contactsseparately. For example, you can configure the Email application inside the KNOX container and outside the KNOX container for different accounts. You can install additional mobile applications inside the container from the Samsung KNOX Apps store. You can also deploy web applications and wrapped mobile applications to the KNOX container using Cloud Manager. There are two icons you use to enter and exit the Samsung KNOX container. To enter the container from your home screen, touch this icon.
This icon is added to your Apps catalog when you create the container. You can also enter the container by dragging down on the devices notification bar and touching Samsung KNOX Tap to Start.
29
Users can add their own web applications. See MyCentrify help for the details.
Centrify for KNOX provides SSO authentication for all web applications. Users just log in once. After that, Centrify for KNOX safely stores the credentials for that application and silently authenticates the user in subsequent log ins. Before you can install Centrify for KNOX in the container, Centrify for KNOX must be added to a whitelist of applications allowed to use the Samsung KNOX containers SSO feature. How you configure the device depends upon whether you are using Centrify for Samsung KNOX or another vendor for MDM/MCM.
Preparing a device that uses Centrify for Samsung KNOX for MDM/MCM
The Centrify cloud service automatically enables the Samsung KNOX SSO feature, however, you must add Centrify for KNOX to the whitelist of applications allowed to use it.
30
To enable Centrify for KNOX to use the Samsung KNOX SSO feature, you enable a group policy and add Centrify for KNOX to a whitelist. To enable the group policy you use the Group Policy Management Editor. The following procedures describe how to enable the SSO whitelist group policy, add the Centrify for KNOX application to the whitelist, and update the device with the new policy setting.
To enable the Application SSO whitelist policy and add Centrify for KNOX: 1 Open the Group Policy Management Editor and select for editing the group policy object
you have linked to the organization unit with your Samsung KNOX device. If you used the default user group and device container setting when you installed the Centrify cloud proxy server (the Active Directory Users group and Computers container), the group policy object is Default Domain Policy.
2 Expand Computer Configuration > Policies > Centrify Cloud Management
(You enter the applications package name rather than the application name.)
6 Click OK to exit the dialog box. To update the group policy on the device: 1 Open Active Directory Users and Computers. 2 Select the container you selected for mobile devices. (If you used the default user group
and device container setting when you installed the Centrify cloud proxy server, the default container is Computers.)
3 Right-click the device you enrolled and select All Tasks > Device Management >
Update Policies.
31
The Centrify cloud service installs the new group policy. You can see the new policy in the Centrify Setup screen.
KNOX icon, and touch it. You are now in the KNOX container.
2 Touch Samsung KNOX Apps.
If you are using Centrify for Samsung KNOX for MDM/MCM, Centrify for KNOX uses your Active Directory credentials to authenticate you and displays the web applications
32
deployed. If you are using another MDM/MCM provider, Centrify for KNOX prompts you to enter your Active Directory credentials and then displays the list of web applications. At this point, however, no web applications have been deployed.
33
Chapter 3
Configuring the Centrify cloud service for MDM/MCM settings on page 37 Managing mobile devices and Knox containers on page 38 Self-service management with MyCentrify on page 41
Selecting web applications using MyCentrify on page 36 Deploying mobile applications that use SSO on page 36
34
See Cloud Manager help for further details. To open Cloud Manager help, enter the URL https://cloud.centrify.com/manage in your browser, log in, and click Help in the user account drop-down list (circled in the picture).
The first step in web application deployment is defining the roles to which you will assign the web applications. When you open Cloud Manager and select the Roles page, there are two default roles: sysadmin: Users in this role have full Centrify cloud service administrator policies. Your Active Directory account was automatically added to this account when you installed the proxy server.
Everybody: Applications assigned to this role are deployed to all cloud users.
To assign the Dropbox - Web User Password application to the sysadmin account, perform the steps in the next procedure. This example skips the first two web application deployment tasks because it uses the existing sysadmin role in which you are already a member.
To deploy a web application to the sysadmin role: 1 Open Cloud Manager and select the Apps page.
35
2 Click Add App. 3 Click the search box and enter drop. 4 Select the Dropbox Web - User Password application and click Add App.
Dropbox is displayed. Open Dropbox if you have an account to log in to. If you do not have an account, delete Dropbox from the container.
36
Prepare devices so users can create Prepare the devices in one of these ways: their Samsung KNOX container Edit the group policy object for the mobile devices and enable the Create/ Dont create container at enrollment group policy. When you select this option, users can create the KNOX container right after they enroll the device. On the Devices page in Cloud Manager, select the devices, click the Container Management drop-down list, and select the Create Container command. When you select this option, the device must be enrolled first.
1 Open the Group Policy Management Editor and open an existing the group Enable SAFE and KNOX group policy object for editing or create a new one. policies in the group policy objects for mobile devices 2 Expand the Computer Configuration and Policies to show the Centrify Cloud Management Settings. 3 Enable the SAFE and KNOX policies you need. The Centrify cloud service
provides a wide variety of mobile-device-specific policies and installs the policies when the user enrolls the device.
4 Save the group policy object. 5 Assign the group policy object to the mobile device organizational unit.
Configure Cloud Manager settings, See Managing Cloud Manager settings in Cloud Manager help for more such as details. Cloud Manager and MyCentrify banner colors and icons. Multifactor authentication Email quarantining for unenrolled devices Deploy and manage mobile and web applications (optional) See Deploying applications from Cloud Manager on page 34 to deploy web applications. See Managing applications in Cloud Manager help for more details.
To open Cloud Manager help, enter the URL https://cloud.centrify.com/manage in your browser, log in, and click Help in the user account drop-down list (circled in the picture)
37
Enrolled devices are listed in the Active Directory container you designated when you enabled Active Directory groups to enroll devices. You send a command from the devices Properties window. Use the following procedure to send a Power Off command to the device you enrolled from Active Directory Users and Computers.
To send the Power off command to a device: 1 Open Active Directory Users and Computers. 2 Open the Active Directory container you selected for mobile devicesthe default is
Computers.
38
3 Right-click the device you enrolled. 4 Expand the All Tasks and Device Management menus. 5 Click Power Off.
The Centrify cloud service sends the command to the device immediately.
Invoking commands from Cloud Manager
The same device details and commands provided in Active Directory Users and Computers are available in the Cloud Manager interface. To invoke the commands from Cloud Manager, you select the device in the Devices page. The commands are listed under the device name. Use the following procedure to send the Lock and UnLock Container commands to the device you enrolled from Cloud Manager.
To lock and unlock the KNOX container from Cloud Manager: 1 Open and log in to Cloud Manager. 2 Select the Devices page. 3 Select the device you enrolled. 4 Click the Container Management drop-down list. 5 Click Lock Container.
39
You get the message KNOX has been locked. Contact your administrator to unlock.
7 Touch OK. 8 In Cloud Manager, click the Container Management drop-down list. 9 Click Unlock Container.
Now when you touch the KNOX icon on the device, you are prompted to enter your password, and the container is opened.
Generating reports
On the Reports page in Cloud Manager, you can generate reports of real-time Centrify cloud service data. Cloud Manager provides a set of SQL scripts you can use as is or modify to expand your query. Alternatively, you can create your own SQL scripts or expand upon the built-in scripts Use the following procedure demonstrates to generate a report from one of the built-in scripts.
To generate a report from a built-in Cloud Manager script: 1 Open Cloud Manager and log in. 2 Click Reports. 3 Under Report Library, expand Builtin Reports and click mobile.
40
A report is generated listing all of the Android OS versions and the number of devices that have that version. From this report you can do the following: Click View to view the script that generated the report. Click Export to export the data to a file. Click Copy to copy the script to another Report Library folder.
If you arent in Cloud Manager, enter the URL https://cloud.centrify.com/my in your browser to go to MyCentrify and log in using your full Active Directory credentials.
2 Click MyDevices. 3 Click the device you enrolled. 4 Click Device Management > Unenroll.
41
The Centrify cloud service sends the Unenroll command and the Centrify application unenrolls the device. In your device, you touch the Centrify application icon and enter your Active Directory credentials to enroll again. When you unenroll a device its information remains in Cloud Manager and Active Directory. The information is not removed until you explicitly delete it.
42