Upload
deyton01
View
34
Download
0
Tags:
Embed Size (px)
DESCRIPTION
EMM
Citation preview
Installation Guide
McAfee Enterprise Mobility Management12.0 SoftwareFor use with ePolicy Orchestrator 4.6.7-5.1 Software
COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.
2 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Contents
Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Planning your installation 7McAfee EMM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Server components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8High Availability configuration (multiple servers) . . . . . . . . . . . . . . . . . . . 8Enhanced security configuration (dual servers) . . . . . . . . . . . . . . . . . . . 10Basic security configuration (single server) . . . . . . . . . . . . . . . . . . . . 10
Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Certificate requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Installing in enhanced or basic security configurations 17Install the McAfee EMM extension bundle in ePolicy Orchestrator . . . . . . . . . . . . . . . 17Run the Deployment Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Install McAfee EMM server components . . . . . . . . . . . . . . . . . . . . . . . . . 18Add McAfee EMM as a registered server in ePolicy Orchestrator . . . . . . . . . . . . . . . 19
3 Upgrading in enhanced or basic security configurations 21Upgrade the McAfee EMM ePolicy Orchestrator extension bundle . . . . . . . . . . . . . . . 21Upgrade McAfee EMM server components . . . . . . . . . . . . . . . . . . . . . . . . 22
Upgrade McAfee EMM server components in enhanced security configurations . . . . . . 22Upgrade McAfee EMM server components in basic security configurations . . . . . . . . 22
4 Installing or upgrading in High Availability configurations 23Install McAfee EMM in High Availability environments . . . . . . . . . . . . . . . . . . . 23Upgrade McAfee EMM in High Availability environments . . . . . . . . . . . . . . . . . . 24
A Settings for components 25Database settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25LDAP server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Hub server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Portal certificate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27MDM certificate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Communication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28ActiveSync server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29GCM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29DMZ settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 3
Index 31
Contents
4 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Preface
This guide provides the information you need to work with your McAfee product.
Contents About this guide Find product documentation
About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.
AudienceMcAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
ConventionsThis guide uses these typographical conventions and icons.
Book title, term,emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold Text that is strongly emphasized.
User input, code,message
Commands and other text that the user types; a code sample; a displayedmessage.
Interface text Words from the product interface like options, menus, buttons, and dialogboxes.
Hypertext blue A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing anoption.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardwareproduct.
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 5
Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.
Task1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.
2 Enter a product name, select a version, then click Search to display a list of documents.
PrefaceFind product documentation
6 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
1 Planning your installation
Before installing McAfee® Enterprise Mobility Management (McAfee EMM™) for McAfee® ePolicyOrchestrator®, learn about the software components, decide on a configuration model, and verify thatyour system meets minimum requirements.
Contents McAfee EMM components Configuration overview Installation requirements
McAfee EMM componentsThe McAfee EMM system includes server-side and client-side components that are managed throughePolicy Orchestrator.
McAfee EMM 12.0 can be used with ePolicy Orchestrator 4.6.7–5.1.
The McAfee EMM extension bundle for ePolicy Orchestrator includes these extensions:
• McAfee Enterprise Mobility Management — Provides the core McAfee EMM functionality.
• McAfee Mobile ePO — Allows ePolicy Orchestrator to communicate with mobile devices.
• PKI — Enables secure, certificate-based authentication for VPN or Wi-Fi connections on iOSdevices.
• Help — Provides context-sensitive help for McAfee EMM interface pages, and provides on-screenaccess to the product guide.
Server componentsThese components are installed on enterprise servers to administer McAfee EMM.
McAfee EMMservercomponent
Description
Hub Manages communication between McAfee EMM components and with ePolicyOrchestrator. The Hub allows secure communication across the firewall (betweenthe DMZ and the internal network) and eliminates the need to open customfirewall ports. SSL communication is established between the components. TheHub is paired with the McAfee EMM database, which stores all data required forMcAfee EMM to function.
Portal Allows device users to initiate wipe requests in the event their device is lost orstolen. Users access the Portal from a browser on a PC or mobile device. Werecommend installing the Portal in the DMZ.
1
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 7
McAfee EMMservercomponent
Description
Proxy Proxies ActiveSync traffic to the email servers. This IIS (Internet InformationServices) application controls access to enterprise resources on the DMZ server.We recommend installing the Proxy in the DMZ.
Push Notifier Sends push notifications to mobile devices. The Push Notifier is a requiredcomponent that communicates with Apple and Google push notification services.We recommend installing the Push Notifier in the DMZ.
Client componentsThese components are installed on mobile devices that are registered on the enterprise network. Theyhelp configure the device and communicate with the McAfee EMM server.
McAfee EMM clientcomponent
Description
McAfee EMM iOS app Free app that enforces security policies, notifies users of complianceissues, and configures corporate email, contacts, and calendars usingthe device's native apps.
McAfee EMM Android app Free app that enforces security policies, notifies users of complianceissues, and optionally pairs with McAfee® Secure Container to managecorporate email, contacts, and calendars.
McAfee Secure Container app(Android devices)
Free app that encrypts and passcode-secures enterprise email,contacts, and calendars.
Configuration overviewYour McAfee EMM configuration depends on the unique needs of your environment.
There are three basic configurations for the McAfee EMM server components.
Configuration Recommended for
High Availability (multiple servers) Organizations where email is critical to business operations
Enhanced security (dual servers) Most organizations
Basic security (single server) Smaller organizations without complex security requirements
Regardless of the configuration you use, follow these guidelines for setup of the McAfee EMM Hub.
• The McAfee EMM Hub can be registered to only one ePolicy Orchestrator server.
• The McAfee EMM Hub and ePolicy Orchestrator should be hosted on separate servers for optimumperformance.
• The McAfee EMM Hub automatically connects to ePolicy Orchestrator Agent Handlers. AgentHandler assignment rules aren't configurable for McAfee EMM.
High Availability configuration (multiple servers)The High Availability (HA) configuration is appropriate for organizations where email is critical tobusiness operations.
HA configuration installs McAfee EMM on multiple servers. The McAfee EMM Portal, Proxy, and PushNotifier are installed on multiple Internet-facing IIS servers in the DMZ. The McAfee EMM Hub isinstalled on one or more servers in the internal subnet.
1 Planning your installationConfiguration overview
8 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Additional HA configuration requirements include SQL Server clustering as well as two load balancers:
• Proxy load balancer — Located in front of proxies and behind the external network firewall.
• Hub load balancer — Located in front of the McAfee EMM Hubs and behind the internal networkfirewall.
For details about configuring load balancers, see KB81305.
We recommend using multiple ePolicy Orchestrator Agent Handlers to ensure continual communicationbetween the McAfee EMM internal server and the ePolicy Orchestrator server.
Figure 1-1 Typical High Availability configuration
Planning your installationConfiguration overview 1
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 9
Enhanced security configuration (dual servers)The enhanced security configuration is recommended for most McAfee EMM installations. Thisconfiguration provides maximum security and verifies web traffic before it enters your private network.
The enhanced security configuration installs McAfee EMM on two servers. The McAfee EMM Portal,Proxy, and Push Notifier are installed on an Internet-facing IIS server in the DMZ. The McAfee EMMHub is installed in the internal subnet.
Figure 1-2 Typical enhanced security configuration
Basic security configuration (single server)The basic security configuration is appropriate for smaller organizations without complex securityrequirements, or for trial installations.
The basic security configuration installs all McAfee EMM server components on a single server locatedin the internal subnet.
Figure 1-3 Typical basic security configuration
1 Planning your installationConfiguration overview
10 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Installation requirementsMcAfee EMM has specific system, certificate, and network requirements for installation and operation.
For details about supported mobile device operating systems, see KB81475.
System requirementsBefore installing McAfee EMM, verify that your system meets these minimum operating requirements.
These requirements apply to the McAfee EMM server components. For details about ePolicyOrchestrator requirements, see the ePolicy Orchestrator documentation.
To simplify installation and maintenance, we recommend creating a McAfee EMM service account. Theaccount must be a local administrator account that has permission to create a database on the SQLServer. For details about SQL database permissions, see KB79251.
If you use Windows Authentication for database connectivity, we recommend using a domain accountfor installation.
Component Requirement
Software ePolicy Orchestrator 4.6.7–5.1
Hardware(physical orvirtual)
• 4 GB RAM
• Dual Core CPU
Operating system • Windows Server 2008 64-bit with Service Pack 2 or later (Standard orEnterprise Edition)
• Windows Server 2008 R2 64-bit with Service Pack 1 or later (Standard orEnterprise Edition)
• Windows Server 2012 64-bit (Standard Edition)
• Windows Server 2012 R2 64-bit (Standard Edition)
If the McAfee EMM server components are installed on a Windows Server 2012,you might need to manually resolve discrepancies with the certificate storagelocation to avoid a connection error when registering the McAfee EMM server. SeeKB81110 for details.
SQL Server • 2008 64-bit with the latest Service Pack (Enterprise Edition)
• 2008 R2 32- and 64-bit with the latest Service Pack (Enterprise, Standard, orWorkgroup Edition)
• 2012 64-bit with the latest Service Pack (Enterprise Edition)
Configuration and limitations:• Database collation must be configured to the U.S. English default:
SQL_Latin1_General_Cp1_CI_AS.
• SQL Express R2 is appropriate only for trial installations, with a single,on-premise server used in non-production environments.
Mail server • Exchange 2007, 2010, or 2013
• Domino 8.5.3 or 9.0
Other mail servers might work, but aren't tested for use with ExchangeActiveSync.
Planning your installationInstallation requirements 1
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 11
Component Requirement
CA server (PKIenvironments)
• Windows Server 2008 R2 64-bit with Service Pack 1 or later (Standard orEnterprise Edition), with Simple Certificate Enrollment Protocol (SCEP) enabled
Server must be configured to use the Client Authentication certificate template.
Internet browsers • Internet Explorer 10.0 or later
• Firefox 10.0 or later
• Chrome 17 or later
To access certain McAfee EMM features, Microsoft Silverlight 3.0 or later must beinstalled on the browser and pop-ups must be allowed for your ePolicyOrchestrator site.
Supported languages
McAfee EMM software runs on any supported operating system regardless of the configured locale.
The McAfee EMM interface has been translated into the languages shown here. Language supportvaries by ePolicy Orchestrator version. When the software is installed on an operating system using alanguage that is not on this list, the interface defaults to English.
ePolicy Orchestrator 4.6.7 ePolicy Orchestrator 5.0 and later
Chinese (Simplified) Chinese (Simplified) Japanese
Chinese (Traditional) Chinese (Traditional) Korean
English Danish Norwegian
French Dutch Portuguese (Brazilian)
German English Portuguese (Iberian)
Japanese Finnish Russian
Korean French Spanish
Russian German Swedish
Spanish Italian Turkish
Certificate requirementsBefore installing McAfee EMM, understand and verify these credentials. The McAfee EMM DeploymentHelper walks you through obtaining portal and Mobile Device Management (MDM) certificates.
Retain a copy of your portal and MDM certificates and passwords in a secure location in case you needto restore them later.
1 Planning your installationInstallation requirements
12 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Credential Used for Used by Expiration Notes
Portalcertificate
Mobile deviceverification andsecurecommunicationbetween the McAfeeEMM server andclient components.
McAfeeEMM PortalMcAfeeEMM Proxy
WindowsIIS
Varies. Obtainupdates fromyour certificateauthority.
• Must be a public certificate(not self-signed) obtainedfrom a recognized certificateauthority like Verisign or GoDaddy.
Without a trustedcertificate, users can'tconfigure devices.
• Must match the address (A)record defined in the DomainName System (DNS) unless awildcard (*) certificate isused.
MDMcertificate
Communication withApple PushNotification servicesfor devicemanagement.
McAfeeEMM PushNotifier
Annually. Obtainupdates fromApple.
• See KB73382 for detailsabout generating or renewingMDM certificates.
Update MDM certificatesbefore they expire toavoid reconfiguring all iOSdevices on your network.
iOS AgentPushNotificationcertificate
Communication withApple PushNotification servicesfor usernotifications.
McAfeeEMM PushNotifier
Annually. Obtainupdates byvisiting theMcAfeeDownloads siteand entering avalid McAfeeEMM grantnumber.
• Installed automatically withMcAfee EMM.
Google CloudMessaging(GCM)accountcredentials
Communication withGoogle PushNotification services.
McAfeeEMM PushNotifier
Does not expireunless yougenerate a newtoken using thesame Sender ID.
• See KB77397 for detailsabout generating GCMcredentials.
Network requirementsBefore installing McAfee EMM, verify that your network meets these requirements.
Publically registered domain
You have a valid, externally facing URL to access the McAfee EMM Portal and Proxy.
Router and firewall access rules
Configuration Allow trafficon this port
From To
High Availabilityconfiguration
(multiple servers)
443 Internet McAfee EMM DMZ server
443 McAfee EMM DMZserver
Email servers providing ActiveSyncServices (Microsoft Exchange orIBM Notes Traveler)
Planning your installationInstallation requirements 1
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 13
Configuration Allow trafficon this port
From To
Enhanced securityconfiguration
(dual servers)
443 McAfee EMM DMZserver
McAfee EMM internal server
389 McAfee EMMinternal server
LDAP server
88 McAfee EMMinternal server
LDAP server
Communication on this port is required only for Active Directory withKerberos authentication.
1433
(or dynamicSQL port)
McAfee EMMinternal server
SQL Server where the McAfee EMMdatabase is installed
25 McAfee EMMinternal server
SMTP server
Basic securityconfiguration
(single server)
443 Internet McAfee EMM server
443 McAfee EMMserver
Email servers providing ActiveSyncor Notes Traveler
389 McAfee EMMserver
LDAP server
88 McAfee EMMinternal server
LDAP server
1433
(or dynamicSQL port)
McAfee EMMserver
SQL Server where the McAfee EMMdatabase is installed
25 McAfee EMMinternal server
SMTP server
iOS devices 2195 McAfee EMMserver (DMZ inenhanced securitymode)
Apple Push Notification service atgateway.push.apple.com
2196 McAfee EMMserver (DMZ inenhanced securitymode)
Apple Push Notification service atfeedback.push.apple.com
5223 Devices connectedto Wi-Fi
Apple Push Notification service
For specific port and configuration details for iOS devices in a businessenvironment, see the Apple guide to iPhone and iPad in Business.
Android devices 443 McAfee EMMserver (DMZ inenhanced securitymode)
Google Cloud Messaging service atandroid.googleapis.com
1 Planning your installationInstallation requirements
14 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Configuration Allow trafficon this port
From To
5228 Devices connectedto Wi-Fi
Google Cloud Messaging service
443 (to enableApp Protection)
Devices connectedto Wi-Fi
McAfee Global Threat Intelligenceserver at https://appcloud.mcafee.com/aa
For outbound connections to Apple and Google push services, don't set IP-specific firewall restrictionsbecause the IP addresses are subject to change.
Planning your installationInstallation requirements 1
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 15
1 Planning your installationInstallation requirements
16 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
2 Installing in enhanced or basic securityconfigurations
To install McAfee EMM in enhanced or basic security configurations, complete these tasks in order.
Contents Install the McAfee EMM extension bundle in ePolicy Orchestrator Run the Deployment Helper Install McAfee EMM server components Add McAfee EMM as a registered server in ePolicy Orchestrator
Install the McAfee EMM extension bundle in ePolicyOrchestrator
Install the McAfee EMM extension bundle before installing the McAfee EMM server components so thatyou can prepare policies for quick deployment.
This method manually installs the McAfee EMM extension bundle from a local copy. For details aboutother methods of checking in product packages, including using the Software Manager, see the ePolicyOrchestrator documentation.
The McAfee EMM extension bundle might be automatically installed by the Automatic ProductConfiguration process during ePolicy Orchestrator 5.1 configuration.
TaskFor option definitions, click ? in the interface.
1 Download and save the McAfee EMM extension bundle in an accessible location.
Don't unzip the file.
2 On the ePolicy Orchestrator console, select Menu | Software | Extensions, then click Install Extension.
3 Browse to and select the McAfee EMM extension bundle, then click OK.
4 Review and accept the product details and license agreement, then click OK.
Run the Deployment HelperThe Deployment Helper verifies the McAfee EMM installation requirements and prepares yourenvironment for installation.The Deployment Helper is available on the McAfee Downloads site. The utility guides you throughinstallation preparations based on your configuration.
2
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 17
• Enhanced security configuration — The Deployment Helper validates settings for the Hub onthe internal server, and for the Portal, Push Notifier, and Proxy on the DMZ server.
• Basic security configuration — The Deployment Helper validates settings for the Hub, Portal,Push Notifier, and Proxy on one server.
For enhanced security configurations, complete this task on your internal server first, then repeat it onyour DMZ server.
Task1 Install the Deployment Helper.
a Log on to a Windows server.
b Locate and double-click the installer file DeploymentHelperInstall.msi.
c Review and accept the terms of the license agreement, then click Install.
2 Select Start | All Programs | McAfee EMM | EMM Deployment Helper.
3 Review the instructions, then click Next.
4 Select the installation appropriate to your configuration and server type:
• Dual Server (Internal) — Internal server in enhanced security configurations
• Dual Server (External) — External server in enhanced security configurations
• Single Server — Basic security configurations
5 Review your installation configuration, then click Next.
6 Complete the component settings screens.
Settings for components provides option definitions for all component settings screens.
7 Review the information on the Confirm Installation Settings screen, then click Run Scan.
When the scan is complete, results are shown. If any tasks are marked failed, review theinformation, then click Launch KB Assistance for help resolving any issues.
See also Database settings on page 25LDAP server settings on page 26Hub server settings on page 26Portal certificate settings on page 27MDM certificate settings on page 28ActiveSync server settings on page 29GCM settings on page 29
Install McAfee EMM server componentsThe server installation process depends on your planned configuration.
Before you beginRun the Deployment Helper. See Run the Deployment Helper.
2 Installing in enhanced or basic security configurationsInstall McAfee EMM server components
18 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
• Enhanced security configuration — Use enhanced security installation for maximum security.This configuration installs the server components on dual servers.
• Basic security configuration — Use a basic security installation if your organization doesn't havecomplex security requirements. This configuration installs the server components on a singleserver.
For enhanced security configurations, complete this task on your internal server first, then repeat it onyour DMZ server.
Task
1 Log on to the server with the McAfee EMM service account.
2 Locate and right-click the installer file Setup.exe, then select Run as Administrator.
• Click Continue if prompted to install Windows installer or .NET version.
• Click Yes if prompted to restart the server. The installer continues automatically after restarting.
3 Review and accept the terms of the license agreement, then click Next.
4 Select the installation appropriate to your configuration and server type:
• Dual Server (Internal) — Internal server in enhanced security configurations
• Dual Server (External) — External server in enhanced security configurations
• Single Server — Basic security configurations
5 Complete the component settings screens.
Settings for components provides option definitions for all component settings screens.
6 Review the information on the Summary screen, then click Install. When installation is complete, clickFinish.
See also Run the Deployment Helper on page 17Database settings on page 25LDAP server settings on page 26Communication settings on page 28DMZ settings on page 29
Add McAfee EMM as a registered server in ePolicy OrchestratorConfigure access to the McAfee EMM server by adding it as a registered server.
Before you beginInstall or configure the McAfee EMM extension bundle.
TaskFor option definitions, click ? in the interface.
1 On the ePolicy Orchestrator console, select Menu | Configuration | Registered Servers, then click New Server.
2 From the Server type drop-down list, select EMM Hub, enter a unique name for the server, then clickNext.
Installing in enhanced or basic security configurationsAdd McAfee EMM as a registered server in ePolicy Orchestrator 2
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 19
3 Provide details about the connection to your McAfee EMM server, click Establish Connection to test yourconfiguration, then click Save.
For a first-time installation, the default logon credentials are:
• User name — admin
• Password — TDadmin*
To secure the connection between the McAfee EMM Hub and the ePolicy Orchestrator server, changethe default credentials after adding the registered server. See the McAfee EMM Product Guide fordetails.
2 Installing in enhanced or basic security configurationsAdd McAfee EMM as a registered server in ePolicy Orchestrator
20 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
3 Upgrading in enhanced or basic securityconfigurations
You can upgrade to McAfee EMM 12.0 from version 11.0. No direct upgrade path is available for earlierversions.
Verify system requirements before upgrading because requirements change from version to version.
To upgrade from version 11.0, complete these tasks in order.
Contents Upgrade the McAfee EMM ePolicy Orchestrator extension bundle Upgrade McAfee EMM server components
Upgrade the McAfee EMM ePolicy Orchestrator extensionbundle
Upgrading the McAfee EMM extension bundle preserves existing policies and settings. New optionsadded in this version are inactive by default.
To upgrade the McAfee EMM extension bundle, install the updated extension bundle in ePolicyOrchestrator. You don't have to uninstall the existing product extension bundle first, but the McAfeeEMM 11.0 Help must be manually removed before upgrade.
This method manually installs the McAfee EMM extension bundle from a local copy. For details aboutother methods of checking in product packages, including using the Software Manager, see the ePolicyOrchestrator documentation.
TaskFor option definitions, click ? in the interface.
1 Manually remove the McAfee EMM 11.0 Help extension.
a In the ePolicy Orchestrator console, select Menu | Software | Extensions.
b From the Extensions list, select Help Content.
c Select the McAfee EMM Help extension (emm_help), click Remove, then click OK to confirm.
2 Download and save the McAfee EMM extension bundle in an accessible location.
Don't unzip the file.
3 On the ePolicy Orchestrator console, select Menu | Software | Extensions, then click Install Extension.
4 Browse to and select the McAfee EMM extension bundle, then click OK.
3
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 21
5 Review and accept the product details and license agreement, then click OK.
6 Clear the web browser cache.
Upgrade McAfee EMM server componentsUpgrading version 11.0 server components preserves your existing McAfee EMM installation, includingdatabase and authorization directories. The upgrade process differs based on your configuration.
Before you beginBack up your existing McAfee EMM installation. See the McAfee EMM Product Guide fordetails.
If you assigned packages to individual users in previous versions of McAfee EMM, manuallyreassign these packages to groups. You can no longer assign packages on a per-user basis.
Tasks• Upgrade McAfee EMM server components in enhanced security configurations on page 22
In enhanced security configurations, the McAfee EMM servers must be upgraded in aspecific order.
• Upgrade McAfee EMM server components in basic security configurations on page 22In basic security configurations, upgrade all McAfee EMM server componentssimultaneously.
Upgrade McAfee EMM server components in enhanced securityconfigurationsIn enhanced security configurations, the McAfee EMM servers must be upgraded in a specific order.
Task• Follow the instructions in KB81482.
Upgrade McAfee EMM server components in basic securityconfigurationsIn basic security configurations, upgrade all McAfee EMM server components simultaneously.
Task1 Log on to the server with the McAfee EMM service account.
2 Locate and right-click the installer file Setup.exe, then select Run as Administrator.
Click Yes if prompted to restart the server. The installer continues automatically after restarting.
3 Review and accept the terms of the license agreement, then click Next.
Select Use Configuration from Previous Installations if you want to keep settings from a previous upgrade. Ifyou're reusing an existing McAfee EMM database for upgrade, settings from the previousinstallation are preserved by default, regardless of any changes you make in the installer.
4 Click Upgrade.
5 Review the information on the Summary screen, then click Upgrade. When installation is complete,click Finish.
3 Upgrading in enhanced or basic security configurationsUpgrade McAfee EMM server components
22 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
4 Installing or upgrading in HighAvailability configurations
HA environments require modified installation and upgrade to ensure continuous email access.
Contents Install McAfee EMM in High Availability environments Upgrade McAfee EMM in High Availability environments
Install McAfee EMM in High Availability environmentsIn HA environments, install the McAfee EMM Proxy and Hub on multiple servers to ensure continualaccess.
Plan your installation using hardware redundancy options like Network load balancing (NLB), multipleePolicy Orchestrator Agent Handlers, SQL Server replication, or clustering options built into theoperating system and applications.
For details about installing McAfee EMM in HA environments, see KB70278.
Task
1 Install the McAfee EMM extension bundle in ePolicy Orchestrator.
See Install the McAfee EMM extension bundle in ePolicy Orchestrator.
2 Use the Dual Server (Internal) option in the McAfee EMM installer to install the first Hub and database ona single server.
3 Stop IIS on any additional internal servers where you plan to install the McAfee EMM Hub anddatabase.
4 Add McAfee EMM as a registered server in ePolicy Orchestrator with the virtual IP address of theHub load balancer.
See Add McAfee EMM as a registered server in ePolicy Orchestrator.
5 Export an encryption key from ePolicy Orchestrator.
a Select Menu | Configuration | Server Settings | Enterprise Mobility Management.
b In the General Settings section, in the Encryption Key row, click Export.
c Enter a Key password, then click OK.
6 Use the Custom Installation option in the McAfee EMM installer, along with the encryption key, to installthe Hub and database on more internal servers. Restart IIS on each server after installation.
Install both the McAfee EMM Hub and database on each server.
4
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 23
7 Use the Dual Server (External) option in the McAfee EMM installer to install the Proxy, Portal, and PushNotifier on the DMZ servers.
8 Pair systems using load balancing appropriate for your setup.
See also Install the McAfee EMM extension bundle in ePolicy Orchestrator on page 17Add McAfee EMM as a registered server in ePolicy Orchestrator on page 19
Upgrade McAfee EMM in High Availability environmentsIn HA environments, the McAfee EMM servers must be upgraded in a specific order.
Task• Follow the instructions in KB81482.
4 Installing or upgrading in High Availability configurationsUpgrade McAfee EMM in High Availability environments
24 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
A Settings for components
Use these tables to configure settings for the Deployment Helper and McAfee EMM server components.
If you use the installer to upgrade components while reusing an existing database, the new componentis installed with existing settings, regardless of any changes you make in the installer. This functionalityprevents accidentally overriding McAfee EMM database settings that affect your network. If you upgradean individual component and create a new database, you can reuse old settings, or change them asneeded.
Contents Database settings LDAP server settings Hub server settings Portal certificate settings MDM certificate settings Communication settings ActiveSync server settings GCM settings DMZ settings
Database settingsThese settings in the Deployment Helper and installer identify the SQL Server that hosts the McAfeeEMM database.
Option Definition
Use SQL Express(Deployment Helper only)
Installs SQL Express on the local system and create the McAfee EMMdatabase.
SQL Express is appropriate only for trial installations, with a single,on-premise server used in non-production environments.
Server name Host name or IP address of the SQL Server where you want to install theMcAfee EMM database.
Authentication • Windows Authentication (recommended)
• SQL Authentication
Username or Login User name for the connection to the McAfee EMM database server.
Password Password for the connection to the McAfee EMM database server.
Database Name for the McAfee EMM database.
See also Run the Deployment Helper on page 17Install McAfee EMM server components on page 18
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 25
LDAP server settingsThese settings in the Deployment Helper and installer identify the server for authenticating users.Fields vary depending on which authentication type you select.
Option Definition
Server Type • Active Directory
• Domino
• ActiveSync Protocol
FQDN Fully qualified domain name of the LDAP server.
Domain • Active Directory — Windows NetBIOS domain name.
• Domino — Name of the Domino domain.
DN Domain distinguished name of the LDAP server.• Active Directory — This field is populated with the domain components when Domain
FQDN is completed.
• Domino — Leave this field blank.
ActiveSync Server(installer only)
IP address or fully qualified domain name of the ActiveSync server.
Username orVerificationUsername
User name for the connection to theauthentication server. For ActiveSync authentication, the account
used to install McAfee EMM can't be anadministrative account. We recommend aservice account with permissions to querygroup membership.Password or
VerificationPassword
Password for the connection to theauthentication server.
External EMMProxy ServerAddress
Fully qualified domain name of the McAfee EMM Proxy. Devices connect to thisMcAfee EMM Proxy address for ActiveSync.
See also Run the Deployment Helper on page 17Install McAfee EMM server components on page 18
Hub server settingsThese settings in the Deployment Helper connect the DMZ server in an enhanced security installationto the internal McAfee EMM Hub server.
Option Definition
Server address Fully qualified domain name or IP address of the McAfee EMM Hub server
See also Run the Deployment Helper on page 17
A Settings for componentsLDAP server settings
26 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Portal certificate settingsThese settings in the Deployment Helper specify the portal certificate. The Deployment Helper can alsoassist with generating a certificate signing request (CSR), then creating a portal certificate from theverified CSR.
On the Provide a Portal Certificate screen of the Deployment Helper, select one of these options:
• Create new SSL certificate to generate an SSL certificate, followed by specifying the certificate youcreated.
• Use existing SSL certificate to specify an existing, valid SSL certificate.
Generate a portal certificate
Step Option Definition
1 Generate the CSR. Common Name URL that you want customers to connect to. For awildcard certificate, add an asterisk before thecommon name, for example, *.domainname.com.
Organization Legally incorporated name of your company.
Organization Unit Unit within your organization requesting thecertificate, for example, Engineering or HumanResources.
You can enter a DBA (doing business as) name inthis field.
City/Locality Unabbreviated city where your organization is legallyregistered.
State/Province Unabbreviated state or province where yourorganization is legally registered.
Country/Region Two-letter ISO country code where your organizationis legally registered, like US or FR.
Certificate Request FilePath
Browse to select the location to store the certificaterequest.
2 Verify the CSR.This step is completed outside the Deployment Helper. Contact a validcertificate authority (CA) for verification.
3 Generate the portalcertificate.
Certificate File Path Browse to select the .cer or .pem file created in step2.
Certificate Password Password for the certificate.
Specify a portal certificate
Option Definition
File Path Browse to select the .pfx file.
Password Password for the certificate.
See also Run the Deployment Helper on page 17
Settings for componentsPortal certificate settings A
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 27
MDM certificate settingsThese settings in the Deployment Helper specify the MDM certificate. The Deployment Helper can alsoassist with generating a CSR, then creating an MDM certificate from the verified CSR.
On the Provide an MDM Certificate screen of the Deployment Helper, select one of these options:
• Create new/renew existing MDM certificate to generate an MDM certificate, followed by specifying thecertificate you created.
• Use existing MDM certificate to specify an existing, valid MDM certificate.
Generate an MDM certificate
Step Option Definition
1 Generate the CSR. Common Name URL that you want customers to connect to.
Email Email address of the administrator making therequest.
Country/Region Two-letter ISO country code where yourorganization is legally registered, like US or FR.
Certificate Request File Path Browse to select the location to store thecertificate request.
2 Verify the CSR.This step is completed outside the Deployment Helper. Follow theinstructions in KB73382 to verify the CSR through Apple.
3 Generate the MDMcertificate.
Certificate File Path Browse to select the .pem file created in step2.
Certificate Password Password for the certificate.
Specify an MDM certificate
Option Definition
File Path Browse to select the .pfx file.
Password Password for the certificate.
See also Run the Deployment Helper on page 17
Communication settingsThese settings in the installer specify portal and MDM certificates, and GCM account credentials.
Option Definition
Portal Certificate Available Certificates Select an existing certificate from an earlier McAfee EMMinstallation, or select Use New Certificate to specify a new certificate.
File Path Browse to select the portal certificate.
Password Password for the portal certificate.
MDM Push Certificate File Path Browse to select the MDM certificate.
Password Password for the MDM certificate.
A Settings for componentsMDM certificate settings
28 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Option Definition
GCM Settings Sender ID Project number of your Google API project.
Token API key value of your Google API project.
To verify connection to the Google server, click the greencheckmark next to the Token field.
See also Install McAfee EMM server components on page 18
ActiveSync server settingsThese settings in the Deployment Helper identify the ActiveSync server that communicates with theMcAfee EMM Proxy.
Option Definition
Server Address Fully qualified domain name of the ActiveSync server.For a Domino server, enter <servername>/servlet/traveler.
Domain Name Domain name of the ActiveSync server.
Username User name for the connection to the ActiveSync server.
Password Password for the connection to the ActiveSync server.
See also Run the Deployment Helper on page 17
GCM settingsThese settings in the Deployment Helper validate GCM account credentials.
Option Definition
Sender ID Project number of your Google API project.
Token API key value of your Google API project.
See also Run the Deployment Helper on page 17
DMZ settingsThese settings in the installer identify the ActiveSync server that communicates with the McAfee EMMProxy.
Option Definition
ActiveSync Server Address Fully qualified domain name of the ActiveSync server.
To verify connection to the server, click the green checkmark next to the serveraddress, then click Verify.
Settings for componentsActiveSync server settings A
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 29
See also Install McAfee EMM server components on page 18
A Settings for componentsDMZ settings
30 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Index
Aabout this guide 5Active Directory
ActiveSync server settings 29
LDAP server settings 26
ActiveSync Protocol, LDAP server settings 26
ActiveSync serverDeployment Helper settings 29
installation settings 29
port requirements 13
administratoraccounts, installation permissions 11
credentials, default logon 19
Agent Handlersautomatically connected 8HA configuration 8
Agent, EMM, See app, EMM Android devices
EMM app description 8port requirements 13
Secure Container description 8supported versions 11
App Protection, port requirements 13
app, EMM, description 8Apple Push Notification
certificates, requirements 12
MDM certificates, Deployment Helper, generating andspecifying 28
MDM certificates, installation settings 28
port requirements 13
authentication, server settings 26
Bbackups, EMM database 22
basic security configurationcomparison to other configurations 8Deployment Helper 17
description 10
installation 18
port requirements 13
upgrade 22
browserscache, clearing after upgrade 21
requirements 11
bundle, EMM, extensions included 7
C.cer file, certificate signing request (CSR), portal certificate 27
certificate authority (CA)certificate requirements 12
certificate verification, portal certificate 27
server, PKI environments 11
certificate signing request (CSR).cer and .pem files 27
MDM certificate 28
portal certificate 27
certificatesexpiration 12
installation settings 28
obtaining and renewing 12
requirements 12
clusters, redundancy 23
communicationbetween server components 7certificates, installation settings 28
with certificate authorities and push services 12
componentsclient-side 8server-side 7
configurations, basic securitycomparison to other configurations 8Deployment Helper 17
description 10
installation 18
upgrade 22
configurations, enhanced securitycomparison to other configurations 8Deployment Helper 17
description 10
installation 18
upgrade 22
configurations, High Availability (HA)comparison to other configurations 8description 8installation 23
upgrade 24
conventions and icons used in this guide 5credentials, default administrative logon 19
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 31
Ddatabase collation, SQL Server 11
database, EMMdescription 7existing vs. new, effects on upgrading components 25
HA configuration, one-to-one installation with EMM Hub 23
settings 25
default options, preserved in upgrade 21
Deployment Helper 17
devices, See mobile devices DMZ
configuration 7port requirements 13
settings 29
documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5
documentation, EMM Product Guidebacking up installation 22
changing default system administrator logon credentials 19
documentation, ePO Product Guideinstallation, extension bundles 17
system requirements 11
documentation, McAfee KnowledgeBaseenhanced security configuration, upgrading, KB81482 22
GCM credentials, obtaining, KB77397 12
HA configuration, load balancers, KB81305 8HA environments, installing, KB70278 23
HA environments, upgrading, KB81482 24
MDM certificate creation, KB73382 12, 28
SQL Server permissions, KB79251 11
Windows Server 2012 certificate storage, KB81110 11
domain name system (DNS) server, certificate requirements 12
DominoActiveSync server settings 29
LDAP server settings 26
supported mail servers 11
dual servers, See configurations, enhanced security
Eencryption key, HA configuration 23
enhanced security configurationcomparison to other configurations 8Deployment Helper 17
description 10
installation 18
port requirements 13
upgrade 22
ePObasic security configuration with EMM 10
EMM extension bundle, installation 17
EMM extension bundle, upgrade 21
encryption key, exporting for HA configuration 23
ePO (continued)enhanced security configuration with EMM 10
HA configuration with EMM 8registered server, connecting EMM to ePO 19
server, guidelines for configuring with EMM 8supported versions, 4.6.7–5.1 11
Exchange, supported mail servers 11
expiration, certificates 12
extensions, EMMincluded in extension bundle 7installation 17
upgrade 21
Ffigures
basic security configuration 10
enhanced security configuration 10
HA configuration 8firewalls, access rules 13
GGo Daddy, certificate authority (CA) 12
Google Cloud Messaging (GCM)Deployment Helper settings 29
installation settings 28
port requirements 13
requirements 12
GTI, See App Protection
Hhardware redundancy, HA configuration 23
hardware requirements 11
Help extensionautomatic installation with EMM 7manual removal before upgrade 21
High Availability (HA) configurationcomparison to other configurations 8description 8installation 23
port requirements 13
upgrade 24
Hub, EMMbasic security configuration 10
description 7enhanced security configuration 10
guidelines for all configurations 8HA configuration 8HA configuration, one-to-one installation with EMM
database 23
registered server in ePO 19
settings 26
Index
32 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
Iinstallation
extension bundle 17
permissions 11
preparation with the Deployment Helper 17
registered server, connecting EMM to ePO 19
server components 18
interface languages 11
Internet browserscache, clearing after upgrade 21
requirements 11
Internet Information Services (IIS), Windowscertificate requirements 12
Proxy, EMM 7stopping and restarting during HA installation 23
iOS Agent Push Notification certificate, requirements 12
iOS devicesEMM app description 8port requirements 13
supported versions 11
iPad, See iOS devices iPhone, See iOS devices iPod, See iOS devices
KKnowledgeBase (KB), McAfee, See documentation, McAfee
KnowledgeBase
Llanguages, supported 11
LDAP serverport requirements 13
settings 26
load balancing, High Availability (HA)configuration 8pairing systems 23
logon, default administrative credentials 19
Mmail server, requirements 11
McAfee DownloadsDeployment Helper 17
iOS Agent Push Notification certificate updates 12
McAfee ServicePortal, accessing 6Microsoft Silverlight, supported versions 11
mobile device management (MDM) certificatesDeployment Helper, generating and specifying 28
installation settings 28
requirements 12
mobile devicesport requirements 13
supported versions 11
Mobile ePO (MePO) extension, automatic installation with EMM7
Nnetwork load balancing (NLB), redundancy 23
network requirements 13
Ooperating system requirements 11
options, preserved in upgrade 21
Ppackages, assigning to groups before upgrade 22
.pem file, certificate signing request (CSR)MDM certificate 28
portal certificate 27
permissions, installation 11
.pfx file, personal information exchangeMDM certificate 28
portal certificate 27
PKI extension, automatic installation with EMM 7popups, enabling for legacy console 11
portal certificatesDeployment Helper, generating and specifying 27
installation settings 28
requirements 12
Portal, EMMbasic security configuration 10
certificate requirements 12
description 7domain requirements 13
enhanced security configuration 10
HA configuration 8ports, access rules 13
Product Guide, EMMbacking up installation 22
changing default system administrator logon credentials 19
Product Guide, ePOinstallation, extension bundles 17
system requirements 11
Proxy, EMMbasic security configuration 10
certificate requirements 12
description 7domain requirements 13
enhanced security configuration 10
HA configuration 8Public Key Infrastructure (PKI) environments, requirements 11
Push Notifier, EMMbasic security configuration 10
certificate requirements 12
description 7enhanced security configuration 10
HA configuration 8push technology
certificate requirements 12
port requirements 13
Index
McAfee Enterprise Mobility Management 12.0 Software Installation Guide 33
Rredundancy, installation planning 23
registered servers, connecting EMM to ePO 19
requirementscertificate 12
network 13
system 11
routers, access rules 13
SSecure Container, description 8Sender ID, GCM settings, definition 28
service account, EMM 11
ServicePortal, finding product documentation 6settings
configuration from previous installations 22
Deployment Helper and installer 25
Silverlight, Microsoft, supported versions 11
Simple Certificate Enrollment Protocol (SCEP), PKIenvironments 11
single server, See configurations, basic security .skx file, encryption key, installing in HA environments 23
SMTP server, port requirements 13
SQL Servercluster, HA configuration 8port requirements 13
replication, redundancy 23
requirements 11
SQL Server (continued)settings 25
SSL certificates, See portal certificates system requirements 11
Ttechnical support, finding product information 6token, GCM settings, definition 28
trial installation, definition 11
trusted certificatesrequirements 12
Uupgrade
EMM database, effects of existing vs. new 25
extension bundle 21
server components 22
supported versions 21
URL, EMM Portal and Proxy 13
VVerisign, certificate authority (CA) 12
WWindows Authentication, domain account recommendation 11
Windows Phones, supported versions 11
Index
34 McAfee Enterprise Mobility Management 12.0 Software Installation Guide
0-00