Product Documentation

Configuring General Options in Device Manager

Oct 20, 2015

You can use General Options to set Device Manager device display settings, device access relative to the number of users per device, device triangulation enablement, and the Enterprise App Store availability for iOS.

  • Inactivity Days Threshold. Defines a time period in days within which a device must communicate back to the Device Manager server before changing the device status to "inactive".
    Note: If you are using Cisco ISE (or other NAC appliance) in conjunction with the Device Manager server to filter device access to your network, and if the Inactivity Days Threshold value changes, you need to restart the Device Manager service on the Device Manager server for the changes to take effect.
  • Number of Devices per User. Maximum number of devices a user can enroll. If you want to prevent device sharing, you can restrict the number of users per single mobile device, as well as restrict the number of devices that a single user can register and enroll. If you set the value to zero, a user can own any number of devices. When a device or user limit is exceeded, the users receive an error that indicates that a connection or license limit is reached, which prevents the additional user or device from enrolling.
  • Number of Users per Device. Maximum number of users that can share a single device. The default value is zero, which means an unlimited amount of users can share the device.
  • Highlight Jailbroken or Rooted column, SMG Status column, Managed column. When enabled, these options provide status 'lights" to indicate a device status. When disabled, the status lights (red or green) will not display and text will be used to indicate status.
  • Enable Device Triangulation. Provides the ability to reconcile Android ActiveSync IDs with hardware manufacturer identifiers to provide a common identity for Android devices.
  • Send Android Domain Users to Secure Mobile Gateway. When enabled, this option ensures that Device Manager sends Android device information to Secure Mobile Gateway in the event that Device Manager does not have the Android device user's ActiveSync identifier (ID).

Configuring Device Manager Security Options

The security options dialog box allows you to customize the security features of the service. By default, when Secure Device is included in the license, it is automatically activated during installation, with a strong level of security.

  • Enforce SSL. Forces devices to communicate by using an SSL transport. All HTTP (unsecure) requests from devices will be rejected.
  • Strong Authentication. Enables strong authentication by generating a Strong ID for devices that is then used as a second method of authentication during the enrollment process.
  • Strong ID Valid Once. Allows Strong ID passcodes to only be used once. When the Strong ID is used once to generate a device certificate, it cannot be reused. The device has to be revoked and reauthorized.
  • Certificate Renewal. Sets the renewal time for certificates used in Strong Authentication mode. A setting of zero disables the certificate renewal process.
  • Always Add Device. Registers devices automatically into Device Manager even when Secure Device is activated.
  • Block Rooted Android and iOS Enrollment. Enabling this function blocks rooted or jailbroken devices from enrolling.
  • 8 Char Strong ID. Enables a Strong ID character string that is limited to 8 characters.
  • Enable SHP Console for Users. Enables or disables the Self-Help Console for user management of devices.
  • XDM/SHP console max inactive interval. The time (in minutes) between client requests before the server invalidates a log on session. If you set the value to zero, log on sessions do not timeout. For example, if the console max timeout value is set to 1 (one minute) and a user logs on and does not interact with the UI for over one minute, then the user is logged off. The console might still appear as if the user is logged on until the user attempts to interact with the UI, but then the console will be refreshed and the user will see the log on page.
  • iOS agent auto logout (minutes). Length of time before an iOS agent user is logged off due to inactivity.
  • Enable client cert authentication for iOS. If enabled, iOS enrollment agent uses certificate authentication. If disabled, iOS enrollment agent uses session-based authentication.

To enable Strong ID

Strong ID is a form of two-factor authentication used to provide an extra layer of extra security when enrolling a device. Devices cannot enroll until the device's serial number or IMEI is known. When you enable Strong ID, Citrix recommends enabling the character string to be 8 characters in length.

  1. In the Device Manager console, click Options > Security.
  2. You can add the devices manually or import the devices from the Devices tab by using the serial number of IMEI, which generates a Strong ID for the device.

When users are ready to enroll their device, they need to call support personnel and give the serial number or IMEI. Support personnel can then provide the Strong ID from the device properties.

Configuring Role-Based Access Control (RBAC)

You can configure the following settings for role-based access control:

  • Access role-based access control (RBAC) settings
  • Create a new access control role (associate actions with roles)
  • Add groups to a role
  • Associate users with roles

To configure RBAC

  1. In the Device Manager Options console, in the left pane, expand Access Control and then click Role Based Access Control.
  2. In the right pane, click New.
  3. In the Create a Role dialog box, enter a name for the role, select the features you want to enable for the role and then click Create.

To add groups to a role

When you create a new role, you can also associate a user group with the role as part of the role definition.

  1. In the Device Manager Options console, in the left pane, expand Access Control and then click Role Based Access Control.
  2. In the right pane, select a role and then click Edit.
  3. In the Edit a role dialog box, select the feature access you want to associate with a role, and then select the group you want to have access to the role. Any group, and the group's users, that you select receives access to the selected features.
  4. Click Update to save the changes.

To associate users with a role

When you create a new role, you can associate users with the role.

  1. Select the Users tab and then double-click a user in the user table. Or, click New User.
  2. In the New User dialog box, enter the user name and password, and then in Role, select the role you want to associate with the user.
  3. Click Create.

Configuring System Settings for iOS Devices

The following system settings apply to iOS devices only:

  • Store User Password. Provides the following options:
    • Enable. If you select Enable, a user's password in Worx Home is securely stored and used for ongoing authentication with the Device Manager. In Worx Home, the logon/logout button will be enabled, and the user will be required to log in again if the user manually logs out.
    • Disable. If you select Disable, Device Manager does not store a user's passwords and uses a certificate for all ongoing authentication with Device Manager. In Worx Home, the logon/logout button will not display, and the user will never be logged out.
      Note: Note that when this setting is enabled, you can allow users to register and authenticate with a domain password because an enrollment invitation overrides this setting when other enrollment modes are configured.
  • User property for VPP country mapping. The mapping used to choose the property pool of the Apple Volume Purchase Plan (VPP). This code allows a user to download apps from app stores specific to country based on this mapping. For example, if your user property is US, you will not be able to download the apps if the VPP code for the app is distributed in the UK.
  • VPP company token. This is the VPP service token generated when you buy an app on the Apple App Store through your corporate account and is used to validats your VPP license. After you log in to the iTunes App Store using your company's corporate account log in, purchase the app and then click Download to obtain the token, and enter the token. It may take a few minutes for Device Manager to connect to the Apple VPP server. Once validated, this populates the purchased apps in the Applications tab of Device Manager, which can then be deployed to managed devices.

Scheduling Option for Hardware and Software Inventory Deployments

The Scheduling option enables you to globally enforce hardware inventory and software deployments for devices that are always connected to Device Manager.

You may want your devices configured to always be connected to Device Manager (Always On or Permanently Alive). For example, you may want a device to be always connected to Device Manager in the event you need to remotely wipe the device in case of a data security breach. Using policies, you can configure your devices to always be connected to Device Manager.

Using this option allows you to set the time interval (in minutes) that a hardware inventory and a software deployment runs.