McAfee EMM 12.0 Installation Guide

Installation Guide

McAfee Enterprise Mobility Management12.0 SoftwareFor use with ePolicy Orchestrator 4.6.7-5.1 Software

COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.

Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Mobility Management 12.0 Software Installation Guide

http://mcafee.com

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Planning your installation 7McAfee EMM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Server components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8High Availability configuration (multiple servers) . . . . . . . . . . . . . . . . . . . 8Enhanced security configuration (dual servers) . . . . . . . . . . . . . . . . . . . 10Basic security configuration (single server) . . . . . . . . . . . . . . . . . . . . 10

Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Certificate requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Network requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 Installing in enhanced or basic security configurations 17Install the McAfee EMM extension bundle in ePolicy Orchestrator . . . . . . . . . . . . . . . 17Run the Deployment Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Install McAfee EMM server components . . . . . . . . . . . . . . . . . . . . . . . . . 18Add McAfee EMM as a registered server in ePolicy Orchestrator . . . . . . . . . . . . . . . 19

3 Upgrading in enhanced or basic security configurations 21Upgrade the McAfee EMM ePolicy Orchestrator extension bundle . . . . . . . . . . . . . . . 21Upgrade McAfee EMM server components . . . . . . . . . . . . . . . . . . . . . . . . 22

Upgrade McAfee EMM server components in enhanced security configurations . . . . . . 22Upgrade McAfee EMM server components in basic security configurations . . . . . . . . 22

4 Installing or upgrading in High Availability configurations 23Install McAfee EMM in High Availability environments . . . . . . . . . . . . . . . . . . . 23Upgrade McAfee EMM in High Availability environments . . . . . . . . . . . . . . . . . . 24

A Settings for components 25Database settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25LDAP server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Hub server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Portal certificate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27MDM certificate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Communication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28ActiveSync server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29GCM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29DMZ settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

McAfee Enterprise Mobility Management 12.0 Software Installation Guide 3

Index 31

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.

Task1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.

2 Enter a product name, select a version, then click Search to display a list of documents.

PrefaceFind product documentation


http://support.mcafee.com

1 Planning your installation

Before installing McAfee® Enterprise Mobility Management (McAfee EMM™) for McAfee® ePolicyOrchestrator®, learn about the software components, decide on a configuration model, and verify thatyour system meets minimum requirements.

Contents McAfee EMM components Configuration overview Installation requirements

McAfee EMM componentsThe McAfee EMM system includes server-side and client-side components that are managed throughePolicy Orchestrator.

McAfee EMM 12.0 can be used with ePolicy Orchestrator 4.6.7–5.1.

The McAfee EMM extension bundle for ePolicy Orchestrator includes these extensions:

• McAfee Enterprise Mobility Management — Provides the core McAfee EMM functionality.

• McAfee Mobile ePO — Allows ePolicy Orchestrator to communicate with mobile devices.

• PKI — Enables secure, certificate-based authentication for VPN or Wi-Fi connections on iOSdevices.

• Help — Provides context-sensitive help for McAfee EMM interface pages, and provides on-screenaccess to the product guide.

Server componentsThese components are installed on enterprise servers to administer McAfee EMM.

McAfee EMMservercomponent

Description

Hub Manages communication between McAfee EMM components and with ePolicyOrchestrator. The Hub allows secure communication across the firewall (betweenthe DMZ and the internal network) and eliminates the need to open customfirewall ports. SSL communication is established between the components. TheHub is paired with the McAfee EMM database, which stores all data required forMcAfee EMM to function.

Portal Allows device users to initiate wipe requests in the event their device is lost orstolen. Users access the Portal from a browser on a PC or mobile device. Werecommend installing the Portal in the DMZ.

1


McAfee EMMservercomponent

Description

Proxy Proxies ActiveSync traffic to the email servers. This IIS (Internet InformationServices) application controls access to enterprise resources on the DMZ server.We recommend installing the Proxy in the DMZ.

Push Notifier Sends push notifications to mobile devices. The Push Notifier is a requiredcomponent that communicates with Apple and Google push notification services.We recommend installing the Push Notifier in the DMZ.

Client componentsThese components are installed on mobile devices that are registered on the enterprise network. Theyhelp configure the device and communicate with the McAfee EMM server.

McAfee EMM clientcomponent

Description

McAfee EMM iOS app Free app that enforces security policies, notifies users of complianceissues, and configures corporate email, contacts, and calendars usingthe device's native apps.

McAfee EMM Android app Free app that enforces security policies, notifies users of complianceissues, and optionally pairs with McAfee® Secure Container to managecorporate email, contacts, and calendars.

McAfee Secure Container app(Android devices)

Free app that encrypts and passcode-secures enterprise email,contacts, and calendars.

Configuration overviewYour McAfee EMM configuration depends on the unique needs of your environment.

There are three basic configurations for the McAfee EMM server components.

Configuration Recommended for

High Availability (multiple servers) Organizations where email is critical to business operations

Enhanced security (dual servers) Most organizations

Basic security (single server) Smaller organizations without complex security requirements

Regardless of the configuration you use, follow these guidelines for setup of the McAfee EMM Hub.

• The McAfee EMM Hub can be registered to only one ePolicy Orchestrator server.

• The McAfee EMM Hub and ePolicy Orchestrator should be hosted on separate servers for optimumperformance.

• The McAfee EMM Hub automatically connects to ePolicy Orchestrator Agent Handlers. AgentHandler assignment rules aren't configurable for McAfee EMM.

High Availability configuration (multiple servers)The High Availability (HA) configuration is appropriate for organizations where email is critical tobusiness operations.

HA configuration installs McAfee EMM on multiple servers. The McAfee EMM Portal, Proxy, and PushNotifier are installed on multiple Internet-facing IIS servers in the DMZ. The McAfee EMM Hub isinstalled on one or more servers in the internal subnet.

1 Planning your installationConfiguration overview


Additional HA configuration requirements include SQL Server clustering as well as two load balancers:

• Proxy load balancer — Located in front of proxies and behind the external network firewall.

• Hub load balancer — Located in front of the McAfee EMM Hubs and behind the internal networkfirewall.

For details about configuring load balancers, see KB81305.

We recommend using multiple ePolicy Orchestrator Agent Handlers to ensure continual communicationbetween the McAfee EMM internal server and the ePolicy Orchestrator server.

Figure 1-1 Typical High Availability configuration

Planning your installationConfiguration overview 1


https://kc.mcafee.com/corporate/index?page=content&id=KB81305

Enhanced security configuration (dual servers)The enhanced security configuration is recommended for most McAfee EMM installations. Thisconfiguration provides maximum security and verifies web traffic before it enters your private network.

The enhanced security configuration installs McAfee EMM on two servers. The McAfee EMM Portal,Proxy, and Push Notifier are installed on an Internet-facing IIS server in the DMZ. The McAfee EMMHub is installed in the internal subnet.

Figure 1-2 Typical enhanced security configuration

Basic security configuration (single server)The basic security configuration is appropriate for smaller organizations without complex securityrequirements, or for trial installations.

The basic security configuration installs all McAfee EMM server components on a single server locatedin the internal subnet.

Figure 1-3 Typical basic security configuration

1 Planning your installationConfiguration overview


Installation requirementsMcAfee EMM has specific system, certificate, and network requirements for installation and operation.

For details about supported mobile device operating systems, see KB81475.

System requirementsBefore installing McAfee EMM, verify that your system meets these minimum operating requirements.

These requirements apply to the McAfee EMM server components. For details about ePolicyOrchestrator requirements, see the ePolicy Orchestrator documentation.

To simplify installation and maintenance, we recommend creating a McAfee EMM service account. Theaccount must be a local administrator account that has permission to create a database on the SQLServer. For details about SQL database permissions, see KB79251.

If you use Windows Authentication for database connectivity, we recommend using a domain accountfor installation.

Component Requirement

Software ePolicy Orchestrator 4.6.7–5.1

Hardware(physical orvirtual)

• 4 GB RAM

• Dual Core CPU

Operating system • Windows Server 2008 64-bit with Service Pack 2 or later (Standard orEnterprise Edition)

• Windows Server 2008 R2 64-bit with Service Pack 1 or later (Standard orEnterprise Edition)

• Windows Server 2012 64-bit (Standard Edition)

• Windows Server 2012 R2 64-bit (Standard Edition)

If the McAfee EMM server components are installed on a Windows Server 2012,you might need to manually resolve discrepancies with the certificate storagelocation to avoid a connection error when registering the McAfee EMM server. SeeKB81110 for details.

SQL Server • 2008 64-bit with the latest Service Pack (Enterprise Edition)

• 2008 R2 32- and 64-bit with the latest Service Pack (Enterprise, Standard, orWorkgroup Edition)

• 2012 64-bit with the latest Service Pack (Enterprise Edition)

Configuration and limitations:• Database collation must be configured to the U.S. English default:

SQL_Latin1_General_Cp1_CI_AS.

• SQL Express R2 is appropriate only for trial installations, with a single,on-premise server used in non-production environments.

Mail server • Exchange 2007, 2010, or 2013

• Domino 8.5.3 or 9.0

Other mail servers might work, but aren't tested for use with ExchangeActiveSync.

Planning your installationInstallation requirements 1



https://kc.mcafee.com/corporate/index?page=content&id=KB79251&actp=LIST


Component Requirement

CA server (PKIenvironments)

• Windows Server 2008 R2 64-bit with Service Pack 1 or later (Standard orEnterprise Edition), with Simple Certificate Enrollment Protocol (SCEP) enabled

Server must be configured to use the Client Authentication certificate template.

Internet browsers • Internet Explorer 10.0 or later

• Firefox 10.0 or later

• Chrome 17 or later

To access certain McAfee EMM features, Microsoft Silverlight 3.0 or later must beinstalled on the browser and pop-ups must be allowed for your ePolicyOrchestrator site.

Supported languages

McAfee EMM software runs on any supported operating system regardless of the configured locale.

The McAfee EMM interface has been translated into the languages shown here. Language supportvaries by ePolicy Orchestrator version. When the software is installed on an operating system using alanguage that is not on this list, the interface defaults to English.

ePolicy Orchestrator 4.6.7 ePolicy Orchestrator 5.0 and later

Chinese (Simplified) Chinese (Simplified) Japanese

Chinese (Traditional) Chinese (Traditional) Korean

English Danish Norwegian

French Dutch Portuguese (Brazilian)

German English Portuguese (Iberian)

Japanese Finnish Russian

Korean French Spanish

Russian German Swedish

Spanish Italian Turkish

Certificate requirementsBefore installing McAfee EMM, understand and verify these credentials. The McAfee EMM DeploymentHelper walks you through obtaining portal and Mobile Device Management (MDM) certificates.

Retain a copy of your portal and MDM certificates and passwords in a secure location in case you needto restore them later.

1 Planning your installationInstallation requirements


Credential Used for Used by Expiration Notes

Portalcertificate

Mobile deviceverification andsecurecommunicationbetween the McAfeeEMM server andclient components.

McAfeeEMM PortalMcAfeeEMM Proxy

WindowsIIS

Varies. Obtainupdates fromyour certificateauthority.

• Must be a public certificate(not self-signed) obtainedfrom a recognized certificateauthority like Verisign or GoDaddy.

Without a trustedcertificate, users can'tconfigure devices.

• Must match the address (A)record defined in the DomainName System (DNS) unless awildcard (*) certificate isused.

MDMcertificate

Communication withApple PushNotification servicesfor devicemanagement.

McAfeeEMM PushNotifier

Annually. Obtainupdates fromApple.

• See KB73382 for detailsabout generating or renewingMDM certificates.

Update MDM certificatesbefore they expire toavoid reconfiguring all iOSdevices on your network.

iOS AgentPushNotificationcertificate

Communication withApple PushNotification servicesfor usernotifications.


Annually. Obtainupdates byvisiting theMcAfeeDownloads siteand entering avalid McAfeeEMM grantnumber.

• Installed automatically withMcAfee EMM.

Google CloudMessaging(GCM)accountcredentials

Communication withGoogle PushNotification services.


Does not expireunless yougenerate a newtoken using thesame Sender ID.

• See KB77397 for detailsabout generating GCMcredentials.

Network requirementsBefore installing McAfee EMM, verify that your network meets these requirements.

Publically registered domain

You have a valid, externally facing URL to access the McAfee EMM Portal and Proxy.

Router and firewall access rules

Configuration Allow trafficon this port

From To

High Availabilityconfiguration

(multiple servers)

443 Internet McAfee EMM DMZ server

443 McAfee EMM DMZserver

Email servers providing ActiveSyncServices (Microsoft Exchange orIBM Notes Traveler)




http://www.mcafee.com/us/downloads/downloads.aspx




From To

Enhanced securityconfiguration

(dual servers)

443 McAfee EMM DMZserver

McAfee EMM internal server

389 McAfee EMMinternal server

LDAP server


LDAP server

Communication on this port is required only for Active Directory withKerberos authentication.

1433

(or dynamicSQL port)

McAfee EMMinternal server

SQL Server where the McAfee EMMdatabase is installed


SMTP server

Basic securityconfiguration

(single server)

443 Internet McAfee EMM server

443 McAfee EMMserver

Email servers providing ActiveSyncor Notes Traveler

389 McAfee EMMserver

LDAP server


LDAP server

1433

(or dynamicSQL port)

McAfee EMMserver

SQL Server where the McAfee EMMdatabase is installed


SMTP server

iOS devices 2195 McAfee EMMserver (DMZ inenhanced securitymode)

Apple Push Notification service atgateway.push.apple.com

2196 McAfee EMMserver (DMZ inenhanced securitymode)

Apple Push Notification service atfeedback.push.apple.com

5223 Devices connectedto Wi-Fi

Apple Push Notification service

For specific port and configuration details for iOS devices in a businessenvironment, see the Apple guide to iPhone and iPad in Business.

Android devices 443 McAfee EMMserver (DMZ inenhanced securitymode)

Google Cloud Messaging service atandroid.googleapis.com



http://images.apple.com/iphone/business/docs/iOS_6_Business_Sept12.pdf


From To

5228 Devices connectedto Wi-Fi

Google Cloud Messaging service

443 (to enableApp Protection)

Devices connectedto Wi-Fi

McAfee Global Threat Intelligenceserver at https://appcloud.mcafee.com/aa

For outbound connections to Apple and Google push services, don't set IP-specific firewall restrictionsbecause the IP addresses are subject to change.



2 Installing in enhanced or basic securityconfigurations

To install McAfee EMM in enhanced or basic security configurations, complete these tasks in order.

Contents Install the McAfee EMM extension bundle in ePolicy Orchestrator Run the Deployment Helper Install McAfee EMM server components Add McAfee EMM as a registered server in ePolicy Orchestrator

Install the McAfee EMM extension bundle in ePolicyOrchestrator

Install the McAfee EMM extension bundle before installing the McAfee EMM server components so thatyou can prepare policies for quick deployment.

This method manually installs the McAfee EMM extension bundle from a local copy. For details aboutother methods of checking in product packages, including using the Software Manager, see the ePolicyOrchestrator documentation.

The McAfee EMM extension bundle might be automatically installed by the Automatic ProductConfiguration process during ePolicy Orchestrator 5.1 configuration.

TaskFor option definitions, click ? in the interface.

1 Download and save the McAfee EMM extension bundle in an accessible location.

Don't unzip the file.

2 On the ePolicy Orchestrator console, select Menu | Software | Extensions, then click Install Extension.

3 Browse to and select the McAfee EMM extension bundle, then click OK.

4 Review and accept the product details and license agreement, then click OK.

Run the Deployment HelperThe Deployment Helper verifies the McAfee EMM installation requirements and prepares yourenvironment for installation.The Deployment Helper is available on the McAfee Downloads site. The utility guides you throughinstallation preparations based on your configuration.

2



• Enhanced security configuration — The Deployment Helper validates settings for the Hub onthe internal server, and for the Portal, Push Notifier, and Proxy on the DMZ server.

• Basic security configuration — The Deployment Helper validates settings for the Hub, Portal,Push Notifier, and Proxy on one server.

For enhanced security configurations, complete this task on your internal server first, then repeat it onyour DMZ server.

Task1 Install the Deployment Helper.

a Log on to a Windows server.

b Locate and double-click the installer file DeploymentHelperInstall.msi.

c Review and accept the terms of the license agreement, then click Install.

2 Select Start | All Programs | McAfee EMM | EMM Deployment Helper.

3 Review the instructions, then click Next.

4 Select the installation appropriate to your configuration and server type:

• Dual Server (Internal) — Internal server in enhanced security configurations

• Dual Server (External) — External server in enhanced security configurations

• Single Server — Basic security configurations

5 Review your installation configuration, then click Next.

6 Complete the component settings screens.

Settings for components provides option definitions for all component settings screens.

7 Review the information on the Confirm Installation Settings screen, then click Run Scan.

When the scan is complete, results are shown. If any tasks are marked failed, review theinformation, then click Launch KB Assistance for help resolving any issues.

See also Database settings on page 25LDAP server settings on page 26Hub server settings on page 26Portal certificate settings on page 27MDM certificate settings on page 28ActiveSync server settings on page 29GCM settings on page 29

Install McAfee EMM server componentsThe server installation process depends on your planned configuration.

Before you beginRun the Deployment Helper. See Run the Deployment Helper.

2 Installing in enhanced or basic security configurationsInstall McAfee EMM server components


• Enhanced security configuration — Use enhanced security installation for maximum security.This configuration installs the server components on dual servers.

• Basic security configuration — Use a basic security installation if your organization doesn't havecomplex security requirements. This configuration installs the server components on a singleserver.

For enhanced security configurations, complete this task on your internal server first, then repeat it onyour DMZ server.

Task

1 Log on to the server with the McAfee EMM service account.

2 Locate and right-click the installer file Setup.exe, then select Run as Administrator.

• Click Continue if prompted to install Windows installer or .NET version.

• Click Yes if prompted to restart the server. The installer continues automatically after restarting.

3 Review and accept the terms of the license agreement, then click Next.

4 Select the installation appropriate to your configuration and server type:

• Dual Server (Internal) — Internal server in enhanced security configurations

• Dual Server (External) — External server in enhanced security configurations

• Single Server — Basic security configurations

5 Complete the component settings screens.

Settings for components provides option definitions for all component settings screens.

6 Review the information on the Summary screen, then click Install. When installation is complete, clickFinish.

See also Run the Deployment Helper on page 17Database settings on page 25LDAP server settings on page 26Communication settings on page 28DMZ settings on page 29

Add McAfee EMM as a registered server in ePolicy OrchestratorConfigure access to the McAfee EMM server by adding it as a registered server.

Before you beginInstall or configure the McAfee EMM extension bundle.


1 On the ePolicy Orchestrator console, select Menu | Configuration | Registered Servers, then click New Server.

2 From the Server type drop-down list, select EMM Hub, enter a unique name for the server, then clickNext.

Installing in enhanced or basic security configurationsAdd McAfee EMM as a registered server in ePolicy Orchestrator 2


3 Provide details about the connection to your McAfee EMM server, click Establish Connection to test yourconfiguration, then click Save.

For a first-time installation, the default logon credentials are:

• User name — admin

• Password — TDadmin*

To secure the connection between the McAfee EMM Hub and the ePolicy Orchestrator server, changethe default credentials after adding the registered server. See the McAfee EMM Product Guide fordetails.

2 Installing in enhanced or basic security configurationsAdd McAfee EMM as a registered server in ePolicy Orchestrator


3 Upgrading in enhanced or basic securityconfigurations

You can upgrade to McAfee EMM 12.0 from version 11.0. No direct upgrade path is available for earlierversions.

Verify system requirements before upgrading because requirements change from version to version.

To upgrade from version 11.0, complete these tasks in order.

Contents Upgrade the McAfee EMM ePolicy Orchestrator extension bundle Upgrade McAfee EMM server components

Upgrade the McAfee EMM ePolicy Orchestrator extensionbundle

Upgrading the McAfee EMM extension bundle preserves existing policies and settings. New optionsadded in this version are inactive by default.

To upgrade the McAfee EMM extension bundle, install the updated extension bundle in ePolicyOrchestrator. You don't have to uninstall the existing product extension bundle first, but the McAfeeEMM 11.0 Help must be manually removed before upgrade.

This method manually installs the McAfee EMM extension bundle from a local copy. For details aboutother methods of checking in product packages, including using the Software Manager, see the ePolicyOrchestrator documentation.


1 Manually remove the McAfee EMM 11.0 Help extension.

a In the ePolicy Orchestrator console, select Menu | Software | Extensions.

b From the Extensions list, select Help Content.

c Select the McAfee EMM Help extension (emm_help), click Remove, then click OK to confirm.

2 Download and save the McAfee EMM extension bundle in an accessible location.

Don't unzip the file.

3 On the ePolicy Orchestrator console, select Menu | Software | Extensions, then click Install Extension.

4 Browse to and select the McAfee EMM extension bundle, then click OK.

3


5 Review and accept the product details and license agreement, then click OK.

6 Clear the web browser cache.

Upgrade McAfee EMM server componentsUpgrading version 11.0 server components preserves your existing McAfee EMM installation, includingdatabase and authorization directories. The upgrade process differs based on your configuration.

Before you beginBack up your existing McAfee EMM installation. See the McAfee EMM Product Guide fordetails.

If you assigned packages to individual users in previous versions of McAfee EMM, manuallyreassign these packages to groups. You can no longer assign packages on a per-user basis.

Tasks• Upgrade McAfee EMM server components in enhanced security configurations on page 22

In enhanced security configurations, the McAfee EMM servers must be upgraded in aspecific order.

• Upgrade McAfee EMM server components in basic security configurations on page 22In basic security configurations, upgrade all McAfee EMM server componentssimultaneously.

Upgrade McAfee EMM server components in enhanced securityconfigurationsIn enhanced security configurations, the McAfee EMM servers must be upgraded in a specific order.

Task• Follow the instructions in KB81482.

Upgrade McAfee EMM server components in basic securityconfigurationsIn basic security configurations, upgrade all McAfee EMM server components simultaneously.

Task1 Log on to the server with the McAfee EMM service account.

2 Locate and right-click the installer file Setup.exe, then select Run as Administrator.

Click Yes if prompted to restart the server. The installer continues automatically after restarting.

3 Review and accept the terms of the license agreement, then click Next.

Select Use Configuration from Previous Installations if you want to keep settings from a previous upgrade. Ifyou're reusing an existing McAfee EMM database for upgrade, settings from the previousinstallation are preserved by default, regardless of any changes you make in the installer.

4 Click Upgrade.

5 Review the information on the Summary screen, then click Upgrade. When installation is complete,click Finish.

3 Upgrading in enhanced or basic security configurationsUpgrade McAfee EMM server components


http://kc.mcafee.com/corporate/index?page=content&id=KB81482

4 Installing or upgrading in HighAvailability configurations

HA environments require modified installation and upgrade to ensure continuous email access.

Contents Install McAfee EMM in High Availability environments Upgrade McAfee EMM in High Availability environments

Install McAfee EMM in High Availability environmentsIn HA environments, install the McAfee EMM Proxy and Hub on multiple servers to ensure continualaccess.

Plan your installation using hardware redundancy options like Network load balancing (NLB), multipleePolicy Orchestrator Agent Handlers, SQL Server replication, or clustering options built into theoperating system and applications.

For details about installing McAfee EMM in HA environments, see KB70278.

Task

1 Install the McAfee EMM extension bundle in ePolicy Orchestrator.

See Install the McAfee EMM extension bundle in ePolicy Orchestrator.

2 Use the Dual Server (Internal) option in the McAfee EMM installer to install the first Hub and database ona single server.

3 Stop IIS on any additional internal servers where you plan to install the McAfee EMM Hub anddatabase.

4 Add McAfee EMM as a registered server in ePolicy Orchestrator with the virtual IP address of theHub load balancer.

See Add McAfee EMM as a registered server in ePolicy Orchestrator.

5 Export an encryption key from ePolicy Orchestrator.

a Select Menu | Configuration | Server Settings | Enterprise Mobility Management.

b In the General Settings section, in the Encryption Key row, click Export.

c Enter a Key password, then click OK.

6 Use the Custom Installation option in the McAfee EMM installer, along with the encryption key, to installthe Hub and database on more internal servers. Restart IIS on each server after installation.

Install both the McAfee EMM Hub and database on each server.

4



7 Use the Dual Server (External) option in the McAfee EMM installer to install the Proxy, Portal, and PushNotifier on the DMZ servers.

8 Pair systems using load balancing appropriate for your setup.

See also Install the McAfee EMM extension bundle in ePolicy Orchestrator on page 17Add McAfee EMM as a registered server in ePolicy Orchestrator on page 19

Upgrade McAfee EMM in High Availability environmentsIn HA environments, the McAfee EMM servers must be upgraded in a specific order.

Task• Follow the instructions in KB81482.

4 Installing or upgrading in High Availability configurationsUpgrade McAfee EMM in High Availability environments


http://kc.mcafee.com/corporate/index?page=content&id=KB81482

A Settings for components

Use these tables to configure settings for the Deployment Helper and McAfee EMM server components.

If you use the installer to upgrade components while reusing an existing database, the new componentis installed with existing settings, regardless of any changes you make in the installer. This functionalityprevents accidentally overriding McAfee EMM database settings that affect your network. If you upgradean individual component and create a new database, you can reuse old settings, or change them asneeded.

Contents Database settings LDAP server settings Hub server settings Portal certificate settings MDM certificate settings Communication settings ActiveSync server settings GCM settings DMZ settings

Database settingsThese settings in the Deployment Helper and installer identify the SQL Server that hosts the McAfeeEMM database.

Option Definition

Use SQL Express(Deployment Helper only)

Installs SQL Express on the local system and create the McAfee EMMdatabase.

SQL Express is appropriate only for trial installations, with a single,on-premise server used in non-production environments.

Server name Host name or IP address of the SQL Server where you want to install theMcAfee EMM database.

Authentication • Windows Authentication (recommended)

• SQL Authentication

Username or Login User name for the connection to the McAfee EMM database server.

Password Password for the connection to the McAfee EMM database server.

Database Name for the McAfee EMM database.

See also Run the Deployment Helper on page 17Install McAfee EMM server components on page 18


LDAP server settingsThese settings in the Deployment Helper and installer identify the server for authenticating users.Fields vary depending on which authentication type you select.

Option Definition

Server Type • Active Directory

• Domino

• ActiveSync Protocol

FQDN Fully qualified domain name of the LDAP server.

Domain • Active Directory — Windows NetBIOS domain name.

• Domino — Name of the Domino domain.

DN Domain distinguished name of the LDAP server.• Active Directory — This field is populated with the domain components when Domain

FQDN is completed.

• Domino — Leave this field blank.

ActiveSync Server(installer only)

IP address or fully qualified domain name of the ActiveSync server.

Username orVerificationUsername

User name for the connection to theauthentication server. For ActiveSync authentication, the account

used to install McAfee EMM can't be anadministrative account. We recommend aservice account with permissions to querygroup membership.Password or

VerificationPassword

Password for the connection to theauthentication server.

External EMMProxy ServerAddress

Fully qualified domain name of the McAfee EMM Proxy. Devices connect to thisMcAfee EMM Proxy address for ActiveSync.

See also Run the Deployment Helper on page 17Install McAfee EMM server components on page 18

Hub server settingsThese settings in the Deployment Helper connect the DMZ server in an enhanced security installationto the internal McAfee EMM Hub server.

Option Definition

Server address Fully qualified domain name or IP address of the McAfee EMM Hub server

See also Run the Deployment Helper on page 17

A Settings for componentsLDAP server settings


Portal certificate settingsThese settings in the Deployment Helper specify the portal certificate. The Deployment Helper can alsoassist with generating a certificate signing request (CSR), then creating a portal certificate from theverified CSR.

On the Provide a Portal Certificate screen of the Deployment Helper, select one of these options:

• Create new SSL certificate to generate an SSL certificate, followed by specifying the certificate youcreated.

• Use existing SSL certificate to specify an existing, valid SSL certificate.

Generate a portal certificate

Step Option Definition

1 Generate the CSR. Common Name URL that you want customers to connect to. For awildcard certificate, add an asterisk before thecommon name, for example, *.domainname.com.

Organization Legally incorporated name of your company.

Organization Unit Unit within your organization requesting thecertificate, for example, Engineering or HumanResources.

You can enter a DBA (doing business as) name inthis field.

City/Locality Unabbreviated city where your organization is legallyregistered.

State/Province Unabbreviated state or province where yourorganization is legally registered.

Country/Region Two-letter ISO country code where your organizationis legally registered, like US or FR.

Certificate Request FilePath

Browse to select the location to store the certificaterequest.

2 Verify the CSR.This step is completed outside the Deployment Helper. Contact a validcertificate authority (CA) for verification.

3 Generate the portalcertificate.

Certificate File Path Browse to select the .cer or .pem file created in step2.

Certificate Password Password for the certificate.

Specify a portal certificate

Option Definition

File Path Browse to select the .pfx file.

Password Password for the certificate.


Settings for componentsPortal certificate settings A


http://www.iso.org/iso/home/standards/country_codes/country_names_and_code_elements.htm

MDM certificate settingsThese settings in the Deployment Helper specify the MDM certificate. The Deployment Helper can alsoassist with generating a CSR, then creating an MDM certificate from the verified CSR.

On the Provide an MDM Certificate screen of the Deployment Helper, select one of these options:

• Create new/renew existing MDM certificate to generate an MDM certificate, followed by specifying thecertificate you created.

• Use existing MDM certificate to specify an existing, valid MDM certificate.

Generate an MDM certificate

Step Option Definition

1 Generate the CSR. Common Name URL that you want customers to connect to.

Email Email address of the administrator making therequest.

Country/Region Two-letter ISO country code where yourorganization is legally registered, like US or FR.

Certificate Request File Path Browse to select the location to store thecertificate request.

2 Verify the CSR.This step is completed outside the Deployment Helper. Follow theinstructions in KB73382 to verify the CSR through Apple.

3 Generate the MDMcertificate.

Certificate File Path Browse to select the .pem file created in step2.

Certificate Password Password for the certificate.

Specify an MDM certificate

Option Definition

File Path Browse to select the .pfx file.

Password Password for the certificate.


Communication settingsThese settings in the installer specify portal and MDM certificates, and GCM account credentials.

Option Definition

Portal Certificate Available Certificates Select an existing certificate from an earlier McAfee EMMinstallation, or select Use New Certificate to specify a new certificate.

File Path Browse to select the portal certificate.

Password Password for the portal certificate.

MDM Push Certificate File Path Browse to select the MDM certificate.

Password Password for the MDM certificate.

A Settings for componentsMDM certificate settings


http://www.iso.org/iso/home/standards/country_codes/country_names_and_code_elements.htm


Option Definition

GCM Settings Sender ID Project number of your Google API project.

Token API key value of your Google API project.

To verify connection to the Google server, click the greencheckmark next to the Token field.

See also Install McAfee EMM server components on page 18

ActiveSync server settingsThese settings in the Deployment Helper identify the ActiveSync server that communicates with theMcAfee EMM Proxy.

Option Definition

Server Address Fully qualified domain name of the ActiveSync server.For a Domino server, enter <servername>/servlet/traveler.

Domain Name Domain name of the ActiveSync server.

Username User name for the connection to the ActiveSync server.

Password Password for the connection to the ActiveSync server.


GCM settingsThese settings in the Deployment Helper validate GCM account credentials.

Option Definition

Sender ID Project number of your Google API project.

Token API key value of your Google API project.


DMZ settingsThese settings in the installer identify the ActiveSync server that communicates with the McAfee EMMProxy.

Option Definition

ActiveSync Server Address Fully qualified domain name of the ActiveSync server.

To verify connection to the server, click the green checkmark next to the serveraddress, then click Verify.

Settings for componentsActiveSync server settings A


See also Install McAfee EMM server components on page 18

A Settings for componentsDMZ settings


Index

Aabout this guide 5Active Directory

ActiveSync server settings 29

LDAP server settings 26

ActiveSync Protocol, LDAP server settings 26

ActiveSync serverDeployment Helper settings 29

installation settings 29

port requirements 13

administratoraccounts, installation permissions 11

credentials, default logon 19

Agent Handlersautomatically connected 8HA configuration 8

Agent, EMM, See app, EMM Android devices

EMM app description 8port requirements 13

Secure Container description 8supported versions 11

App Protection, port requirements 13

app, EMM, description 8Apple Push Notification

certificates, requirements 12

MDM certificates, Deployment Helper, generating andspecifying 28

MDM certificates, installation settings 28


authentication, server settings 26

Bbackups, EMM database 22

basic security configurationcomparison to other configurations 8Deployment Helper 17

description 10

installation 18


upgrade 22

browserscache, clearing after upgrade 21

requirements 11

bundle, EMM, extensions included 7

C.cer file, certificate signing request (CSR), portal certificate 27

certificate authority (CA)certificate requirements 12

certificate verification, portal certificate 27

server, PKI environments 11

certificate signing request (CSR).cer and .pem files 27

MDM certificate 28

portal certificate 27

certificatesexpiration 12


obtaining and renewing 12

requirements 12

clusters, redundancy 23

communicationbetween server components 7certificates, installation settings 28

with certificate authorities and push services 12

componentsclient-side 8server-side 7

configurations, basic securitycomparison to other configurations 8Deployment Helper 17

description 10

installation 18

upgrade 22

configurations, enhanced securitycomparison to other configurations 8Deployment Helper 17

description 10

installation 18

upgrade 22

configurations, High Availability (HA)comparison to other configurations 8description 8installation 23

upgrade 24

conventions and icons used in this guide 5credentials, default administrative logon 19


Ddatabase collation, SQL Server 11

database, EMMdescription 7existing vs. new, effects on upgrading components 25

HA configuration, one-to-one installation with EMM Hub 23

settings 25

default options, preserved in upgrade 21

Deployment Helper 17

devices, See mobile devices DMZ

configuration 7port requirements 13

settings 29

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

documentation, EMM Product Guidebacking up installation 22

changing default system administrator logon credentials 19

documentation, ePO Product Guideinstallation, extension bundles 17

system requirements 11

documentation, McAfee KnowledgeBaseenhanced security configuration, upgrading, KB81482 22

GCM credentials, obtaining, KB77397 12

HA configuration, load balancers, KB81305 8HA environments, installing, KB70278 23

HA environments, upgrading, KB81482 24

MDM certificate creation, KB73382 12, 28

SQL Server permissions, KB79251 11

Windows Server 2012 certificate storage, KB81110 11

domain name system (DNS) server, certificate requirements 12

DominoActiveSync server settings 29

LDAP server settings 26

supported mail servers 11

dual servers, See configurations, enhanced security

Eencryption key, HA configuration 23

enhanced security configurationcomparison to other configurations 8Deployment Helper 17

description 10

installation 18


upgrade 22

ePObasic security configuration with EMM 10

EMM extension bundle, installation 17

EMM extension bundle, upgrade 21

encryption key, exporting for HA configuration 23

ePO (continued)enhanced security configuration with EMM 10

HA configuration with EMM 8registered server, connecting EMM to ePO 19

server, guidelines for configuring with EMM 8supported versions, 4.6.7–5.1 11

Exchange, supported mail servers 11

expiration, certificates 12

extensions, EMMincluded in extension bundle 7installation 17

upgrade 21

Ffigures

basic security configuration 10

enhanced security configuration 10

HA configuration 8firewalls, access rules 13

GGo Daddy, certificate authority (CA) 12

Google Cloud Messaging (GCM)Deployment Helper settings 29



requirements 12

GTI, See App Protection

Hhardware redundancy, HA configuration 23

hardware requirements 11

Help extensionautomatic installation with EMM 7manual removal before upgrade 21

High Availability (HA) configurationcomparison to other configurations 8description 8installation 23


upgrade 24

Hub, EMMbasic security configuration 10

description 7enhanced security configuration 10

guidelines for all configurations 8HA configuration 8HA configuration, one-to-one installation with EMM

database 23

registered server in ePO 19

settings 26

Index


Iinstallation

extension bundle 17

permissions 11

preparation with the Deployment Helper 17

registered server, connecting EMM to ePO 19

server components 18

interface languages 11

Internet browserscache, clearing after upgrade 21

requirements 11

Internet Information Services (IIS), Windowscertificate requirements 12

Proxy, EMM 7stopping and restarting during HA installation 23

iOS Agent Push Notification certificate, requirements 12

iOS devicesEMM app description 8port requirements 13

supported versions 11

iPad, See iOS devices iPhone, See iOS devices iPod, See iOS devices

KKnowledgeBase (KB), McAfee, See documentation, McAfee

KnowledgeBase

Llanguages, supported 11

LDAP serverport requirements 13

settings 26

load balancing, High Availability (HA)configuration 8pairing systems 23

logon, default administrative credentials 19

Mmail server, requirements 11

McAfee DownloadsDeployment Helper 17

iOS Agent Push Notification certificate updates 12

McAfee ServicePortal, accessing 6Microsoft Silverlight, supported versions 11

mobile device management (MDM) certificatesDeployment Helper, generating and specifying 28


requirements 12

mobile devicesport requirements 13


Mobile ePO (MePO) extension, automatic installation with EMM7

Nnetwork load balancing (NLB), redundancy 23

network requirements 13

Ooperating system requirements 11

options, preserved in upgrade 21

Ppackages, assigning to groups before upgrade 22

.pem file, certificate signing request (CSR)MDM certificate 28


permissions, installation 11

.pfx file, personal information exchangeMDM certificate 28


PKI extension, automatic installation with EMM 7popups, enabling for legacy console 11

portal certificatesDeployment Helper, generating and specifying 27


requirements 12

Portal, EMMbasic security configuration 10

certificate requirements 12

description 7domain requirements 13


HA configuration 8ports, access rules 13

Product Guide, EMMbacking up installation 22

changing default system administrator logon credentials 19

Product Guide, ePOinstallation, extension bundles 17

system requirements 11

Proxy, EMMbasic security configuration 10


description 7domain requirements 13


HA configuration 8Public Key Infrastructure (PKI) environments, requirements 11

Push Notifier, EMMbasic security configuration 10


description 7enhanced security configuration 10

HA configuration 8push technology



Index


Rredundancy, installation planning 23

registered servers, connecting EMM to ePO 19

requirementscertificate 12

network 13

system 11

routers, access rules 13

SSecure Container, description 8Sender ID, GCM settings, definition 28

service account, EMM 11

ServicePortal, finding product documentation 6settings

configuration from previous installations 22

Deployment Helper and installer 25

Silverlight, Microsoft, supported versions 11

Simple Certificate Enrollment Protocol (SCEP), PKIenvironments 11

single server, See configurations, basic security .skx file, encryption key, installing in HA environments 23

SMTP server, port requirements 13

SQL Servercluster, HA configuration 8port requirements 13

replication, redundancy 23

requirements 11

SQL Server (continued)settings 25

SSL certificates, See portal certificates system requirements 11

Ttechnical support, finding product information 6token, GCM settings, definition 28

trial installation, definition 11

trusted certificatesrequirements 12

Uupgrade

EMM database, effects of existing vs. new 25

extension bundle 21

server components 22


URL, EMM Portal and Proxy 13

VVerisign, certificate authority (CA) 12

WWindows Authentication, domain account recommendation 11

Windows Phones, supported versions 11

Index


McAfee EMM 12.0 Installation Guide

Documents

Transcript of McAfee EMM 12.0 Installation Guide