I am testing out Centrify Express as an MDM solution and I'm finding it very nice. I am, however, unable to configure the Exchange ActiveSync settings to work with Office365.
Office365 works as a cloud-based Exchange server with a 2 minor adjustments. When setting up the account, the user name must be the entire email address (ex. email@example.com) not just "username". For the rest of configuration, the Domain is left blank since it is part of the email address.
Those are the only 2 changes that I can see need to be implemented to allow it to connect.
I am trying to create a WIFI profile policy in GPMC and our Enterprise WIFI uses Certificate to authenticate. The description says to use the Certificate which was uploaded in the Credentials section. But where is the credentials section in GPMC where I can add the AD provided Certificate, and how do I had a Root Certificate for our PKI?
Exchange configuration for Android and prevent enrolled users to delete profiles on iOS or Android devices
Thanks for your responses; currently we plan to hand over to each user of company a smartphone (two models available on ios and android ) with the ID account and the url for enroll their device.
By the simpliest way as possible. Asking them type their ldap user account as in beta version and the cloud id.
Waiting evolution, to avoid googleplay to enroll device, we have no choice to create one account will be handed over users; with the enrolling's url and the cloud's id .
Note that the Exchange configuration for android will be very important; and will be great if available by gpo.
Do you think it will possible that user not be to authorize to remove the profil in device; and that only an administrator will be able to do it for more control and security.
We will follow development of centrify that i think will be deliver with most controles interesting for ios as android.
If I missed this I apologize in advance.
In some circumstances we may not immediately jump to a remote wipe process. In some circumstances the end user may let us know they misplaced their phone. (Not Stolen) That would prompt me to lock the device for security purposes.
In this scenario if a friend or collegue took the phone and knew the passcode, the device is still compromised.
Is there a way to lock the device and set a passcode on the device?
Having the MAC address is essential in many aspects. I understand that other MDM providers do query that information from devices.
Our business needs are from Wireless connectivity side. We need the device MAC address in order to securely ( via user authentication and MAC address filtering) provide wireless connectivity to our internal network.
Centrify does provide us some of the following information however some other integral ones are missed. To bring it to enterprise level the following information should be available to customers:
- Unique device identifier (UDID)
- Device name
- iOS and build version
- Model name and number
- Serial number
- Capacity and space available
- Modem firmware
- Bluetooth and Wi-Fi MAC address
- Current carrier network
- SIM carrier network
- Carrier settings version
Compliance and Security Information
- Configuration profiles
- Certificates installed with expiry dates
- Restrictions enforced
- Hardware encryption capability
- Passcode present
- Applications installed (app ID, name, version, size, app data size)
- Provisioning profiles installed
In the case where IT needs to prepare a number of devices for deployment, I would like to be able to transfer the enrollment from one user (IT person) to the end User.
Now at the moment, the simplest way is to have the end user Enroll the device.
You can change the AD user who manages the device, but this does not push upated email settings to the device, they remain configured for the person who enrolled it.
I'd like to see user settings updated based on changes of the 'person who manages this device' setting in AD.
After looking at Wi-Fi settings there seems to be no way to add a WPA2-enterprise network that uses a root and user certificate. If there was a option for this that would make my day, If I have missed this feature and it already exists I apologise.
The process of managing mobile devices is the same for iOS 4-5 as for OSX 10.7 an above. So it would be a nice feature to support Macs in an future release of Centrify Express. I think in the next versions the AD integration for managing preferences etc. will be depcreated and I think a more unified solution would have much advantages. :)
The 'Allow Siri while device locked' option does not seem to be available.. only the option to disable Siri altogether.
I work in a Healthcare environment, and we don't necessarily want to disable Siri completely, but for compliance reasons, we need to be able to disable Siri while the device is locked.
This may be my lack of understanding of what you want this portal to achieve but the following items would seem a basic necessity and are included by many others (example lightspeed, symantec app centre).
1) There seems to be no ability to add apps with or without sign on requirements (other than the limited few already in the list).
2) No way to contact end users (for example select a group of devices and message the owners.
3) No way to 'push' apps to the devices other than have them available for download within the centrify app.
These are features that I would consider advanced, that other vendors have plans for Q1 release into their products (eg. lightspeed)
a) Time based profiles. That is security (or other) profiles that only apply during set hours (for example disabling the camera from mon-fri 9-5)
b) Geographical based profiles (for example disabling the use of youtube while in an office building but enabling once offsite).
c) Tiered groups allowing administration of set groups by specific admins (eg. dept. head able to administer only their departments devices)
I have an iPad that is enrolled and has various policies,restrictions, and Exchange email setup on it. If the end user were to intentionally or accidentally delete the iOS profiles, that action would be just like unenrolling the device. In ADUC, the iPad computer account still shows as enabled. Is there a way for Centrify to recognize the deletion of the profiles and reflect that as an unenroll action and automatically disable the iPad computer account? If that is not possible, how about the ability to specify the time interval for sending alerts for non-responding devices? What is the current time interval for dead device email notifications?
As employees come and go from our company, mobile devices will change hands often. This means enrolling the same device with different users over time. However, the AD computer account for the device keeps the same name from the first user who enrolled the device. Take for example:
- New Android device that has never been enrolled before is enrolled by User1.
- AD computer account is created and called HTC:2.3.4_User1@company.com.
- User1 leaves company and User2 acquires User1's Android.
- From the ADUC computer account HTC:2.3.4_User1@company.com, device is unenrolled.
- User2 enrolls same Android device.
- AD computer account still shows as HTC:2.3.4_User1@company.com and not HTC:2.3.4_User2@company.com.
It would be nice if the computer account is automatically renamed when subsequent users enroll the same device. It makes it easier to look at the mobile device AD computer account and quickly associate computer account with user.
Otherwise, I would have to open the AD computer account, go to the Centrify Mobile tab, look at the Owner section and see what the user name is. In the above scenario, the computer name would be HTC:2.3.4_User1@company.com but the user name would show as firstname.lastname@example.org.
I think the ability to configure iOS Mail settings would be beneficial for some. Specifically, the settings in Settings > Mail, Contacts, Calendars > Mail, which include:
- Show To/Cc label
- Ask before Deleting
- Load Remote Images
- Organise by Thread
- Always Bcc myself
- Increase Quote Level
- Default Account
"Signature" is a per-account setting so maybe it can be incorporated into the "Exchange ActiveSync Settings" GPO setting.
Great product! Many thanks.
I was able to verify that there are no current options to prohibit cellular data for non-SAFE or iOS devices at the moment. There are also no future plans at the moment to implement device backups of contacts, messages or calendar as this info is usually stored on the mail server. I'll post any updates to this if these features becomes available in the future. Thanks!