Video Screencast Help

Illustrated Guide to Installing Symantec Mobile Security 7.2

Created: 04 Feb 2013 • Updated: 02 Jul 2013 | 7 comments
Language Translations
Mick2009's picture
+8 8 Votes
Login to vote

(Baddies) Party Like It's 1999

In the 1990's, I remember working on large offices full of computers where only the odd server had any AntiVirus installed at all.  Those were the relatively early days before users were well educated about security matters.  We all learned fast when the networks fell victim to that era's series of viruses and worms.

Today, it seems that there is a smartphone in every pocket.  These Androids have more storage and processing power that those desktop machines of the 90's, far better networking capabilities and usually much more personal information on them than an office computer.  While the people carrying those phones have learned to keep their desktops, servers and laptops protected, most are still walking around without any AV or firewall on their powerful mobile computers.  It's no surprise that every day the bad guys develop new threats that target the Android OS, and there have already been enormous Android botnets discovered.

Symantec sponsors mobilesecurity.com with information and educational resources that can help raise awareness of these current threats.  Symantec also offers two products designed to keep those Android phones, tablets and other devices secure: here's an article with details on which is best suited to an individual or company's need: 

 

Comparing Symantec Mobile Security 7.2 and Norton Mobile Security
http://www.symantec.com/docs/TECH202054
 

 

Get Connected

Deploying the large-scale enterprise product, Symantec Mobile Security 7.2, is not as straightforward as mailing every cell phone the .apk (Android installer file) and instructing owners to run it. 

  1. A management server needs to be set up first, and then
  2. the Android clients use their browser to connect to that Symantec Management Platform and download the .apk
  3. Protection is only enabled once that .apk is installed and the Mobile Security client app is enrolled with the server.    

This illustrated article walks admins through how to set up Symantec Mobile Security 7.2 (SMS 7.2) on the server and then on the phone.  This is a process which some admins can find confusing and time consuming: hopefully the example walk-through below will ease admins over any pain points. 

 

Know Before You Go

Here is a link to the official documentation: read these and keep them on hand!  This Connect article is a a quick illustration, not a comprehensive install guide.

Symantec Mobile Security 7.2 Quick-start Guide 
http://www.symantec.com/docs/DOC5664 
 

Symantec Mobile Security 7.2 Implementation Guide
http://www.symantec.com/docs/DOC5661

 

These Release Notes also contain important information:

Symantec™ Mobile Security 7.2 Release Notes
http://www.symantec.com/docs/DOC5663 
 

Be sure the server that will be the Symantec Management Platform 7.1 SP2 (formally known as Altiris ITMS) meets all the system requirements before beginning your install.  It does require a capable server: guaranteed, there will be poor performance and errors if the server chosen is an old machine already in use by several other server programs, or if a small and underpowered VMWare image is used.  Ensure you have:

  • 4 GB RAM minimum
  • 5 GB free Hard Drive (minimum)
  • Microsoft Windows Server 2008 x64 R2
  • Microsoft SQL Server 2005 (SP2/SP3/SP4) or Microsoft SQL Server 2008 (SP1/SP2/R2/R2,SP1).  SQL Server Express will do for testing and for installations serving less than 500 devices.
  • Microsoft .NET Framework 3.5
  • Microsoft Silverlight 3.x, 4.x, 5
  • Microsoft IIS 7.5 (IIS 6.0 compatibility)
  • Internet Explorer 7,8, or 9
  • JRE 6 or higher

(See below for a couple additional recommendations about the SMP, too.)

SMS 7.2 can defend Androids with version 2.2 and above.  It can also protect older Windows Mobile 5 through 6.5 devices.

 

Know Before You Go, Part 2

Right from the very start: give some thought to your architecture and Disaster Recovery. 

  • Is it best to put the MS SQL database on the same server as your Symantec Management Platform (SMP), or to connect to a remote MS SQL server?
  • What backup software is in use in your enterprise?  Is the server you have chosen to be your SMP one that can be backed up entirely?  Backing up just the database using MS SQL's built-in tools won't be enough.
  • Is there a spare server of similar hardware / specifications which can be used in case the SMP is lost and needs to be rebuilt? 

The earlier you plan ahead in case of disaster, the quicker you'll be able to recover in case of catestrophic failure.  See the following article for some important considerations:

Disaster Recovery Advice for Symantec Mobile Security 7.2 and Symantec Mobile Management 7.2
http://www.symantec.com/docs/TECH202972 
    

 

OK, I Know Now.  Let's Go!

If you already have Symantc Installation Manager (SIM) and an Altiris/Symantec Management Platform (SMP) server set up, installation is easy!  SMS 7.2 SP1 can be deployed right from the Symantec Installation Manager (SIM).  

If not, the SIM can be downloaded from fileconnect (go to https://fileconnect.symantec.com and use your Serial Number).  The SIM is the file named “Symantec_Mobile_Security_7.2_SMP-SIM_IE.exe” – install it!  SIM will be the tool used to install SMS 7.2 (and the SMP necessary to manage it).

(You may also download from go.symantec.com/Get_Mobile_Security using your Symantec account.)

In the Symantec Installation Manager, place a check next to Symantec Mobile Security MR1.  SIM will automatically add any other dependent products that are needed (including Altiris/Notification Server/Symantec Management Platform.)

 

 

There will be some readiness checks run.  If the server is not up to standard or lacks a necessary component, details will be provided.  It is very important that all requirements are met here at the beginning.

As promised above, I would also like to add three necessities that are not on that list:

  1. A fixed IP address.  To save no end of headaches later, your Symantec Management Platform server absolutely needs a fixed IP.  If the server IP address changes after installation and deployment of the Mobile Security app to the clients, it's very difficult for the Android phones (and Windows Mobile devices, too) to be configured to communicate with a new address. 
  2. The latest Java.  There have been many Java vulnerabilities (and threats which exploit them) discovered in recent months.  Be sure your SMP server is running a release that is recent and patched against these threats.
  3. FQDN.  Failure to resolve the address of the server would prevent the Android clients from reporting back in to get new policies, report events, etc.  Make sure that the SMP is set up with a Full Qualified Domain Name so that Android clients can resolve the name of the server easily into an IP. 

 

 

Several screens worth of configuration information will be required.  Here is how I (successfully) filled these out for a new server called MICKSMS72 which is in an Active Directory domain.

 

 

 

Once everything is entered correctly and SIM has downloaded and verified all the necessary files, you are ready to roll! Confirm all details are correct and then Begin install.

 

Coffee Time....

Installation can take a while (especially if no SMP was already installed).  Here's an install in progress....

 

Once it is successfully installed, you will see your products listed in SIM.  (Yes, there are two entries for Symantec Mobile Security.  That is normal and correct.)

 

Fun with the Symantec Management Console

Now, time to go have a look at the Symantec Management Console!  It is the place to go to create polices, view reports and logs, carry out actions like removely blaring an alarm from a stolen Android....

The SMC is a web-based admin interface.  It can be run from the SMP server from the start menu (Start, Programs, Symantec, ) or from any Internet Explorer web browser which can access the SMP machine: http://[IP of SMP server]/Altiris/Console.  A login credentials pop-up will deliver a "401- Unauthorized" to keep out anyone who should not be accessing these components.   

 

Keep those login credentials secure.  There are very powerful actions that can be initiated from the console (locking or completely wiping Android phones) and much sensitive information that can potentially be viewed there (geographical location of phones, lists of files scanned and URLs of websites visited).  For sake of security and privacy, it is vital that only selected, approved admins have access to the console.

 

Once logged in, click Home > MobileSecurity and then in the left pane, select Settings.  Make sure that the Mobile Security Gateway installed on the SMP is Active.

 

Here's an article with more information about MSG:

Recommendations for Configuring a Healthy Mobile Security Gateway for Symantec Mobile Security 7.2
http://www.symantec.com/docs/TECH197866

 

Who Goes There?

Next, ensure that your SMP is configured to allow the Android phone owners to be able to enroll themselves!  There are a couple of ways to do this (see the Quick Start Guide for full details) but I generally configure SMP to recognize the users already present in my Active Diretcory domain. (I have created a Group called androidusers in Active Directory Users and Computers.  Any users approved to have SMS 7.2 on their Android is added there.)

  1. On the console, go to Home > Mobile Security > Settings > Android Configuration.
  2. Under Device Enrollment > Device authentication, select "Use Active/LDAP authentication"
  3. Supply valid information for your AD Domain Controller(s) or other LDAP server.

 

Enough Backstory.  Get Some Androids on Screen!

Now it is time to download, install and enroll the Mobile Security client app on the Android. Open the browser on the Android and enter in http://[IP of SMP server]/MobileSecurityDeployment/AndroidInstall.aspx.   A MobileSecurity.apk package will be downloaded. 

 

 

Click through the install of that downloaded app... I won't illustrate it here because it's pretty straightforward.

Launch the MobileSecurity app and the user is prompted to Enroll. A couple of tricky points:

  • When it is asking for Server, the app is asking for the Management Server Gateway.  Be sure to use port 443, not the port 80 used for downloading the app!
  • The most common cause for failed enrollments is that the user is not one that the SMP knows about.  Be sure to be specifying a user who was configured in Android Configuration, Device Enrollment.
  • If that is an Active Directory domain user, type in domain \ username
  • The second most common cause for failure is fat fingers.  &: )  Be sure that passwords are typed correctly!

Here's a successful enrollment:

 

Once that is done, the Android device appears in the SMC and the client app's GUI is enabled.  Here a scan has detected the eicar test file.....

 

 

...And here is our friend androidguy1 in the SMC.

 

 

License and Registration, Please

Generally, there’s no need to license SMS 7.2 from the beginning.   When installed, it automatically has a 30-day trial license which offers full functionality.  After that 30 day period is when the product will need to have the license applied.   Here’s an article which has some additional details:

Licensing Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH201488       

 

Any Last Words?

Remember: this is just a brief overview of the installation process for SMS 7.2.  Full details are in the guides, above, and Symantec has created hundreds of knowledgebase articles should anything go wrong with the Symantec Management Platform.  A quick search should get you back on your way.  If you get stuck, peers in the Connect Forum  can help or you can call on professional assistance from Technical Support. 

If setting up the SMP server seems like a lot of work, remember: it's something that generally only has to be done once.  &: )   Once the SMP is in place, it is an easy process to set up additional MSG's, create advanced architectures, deploy policies and so on. 

So: time to live life to the fullest in the 21st century!  Please do give Symantec Mobile Security 7.2 a try, and get those Androids protected!

 

Please do leave comments below to provide feedback on how your own install went, and highlight any tips you have discovered that other admins may find useful.   

Comments 7 CommentsJump to latest comment

Mick2009's picture

Here is a proposed enhancement request that may make client enrollment easier for end users.  Please do vote up or down if you feel this would be worth the extra admin work: 

 

Automatic or Assisted Enrollment for Symantec Mobile Security 7.2 Android Client
https://www-secure.symantec.com/connect/ideas/automatic-or-assisted-enrollment-symantec-mobile-security-72-android-client

With thanks and best regards,

Mick

+2
Login to vote
Mick2009's picture

Follow-up article now available!  Here's a little intro to what the end user can expect to see on their Android from Symantec Mobile Security 7.2: 

 

Getting to Know the Symantec Mobile Security 7.2 Client

https://www-secure.symantec.com/connect/articles/getting-know-symantec-mobile-security-72-client

With thanks and best regards,

Mick

-3
Login to vote
yang_zhang's picture

It's said that the Altiris will be sold by Symantec. So, what's the roadmap of SMS?

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
+1
Login to vote
Mick2009's picture

Hi Yang,

I can't really comment on the roadmap, but there are cool new features ahead for the next release of SMS 7.2.  That's under development now.

With thanks and best regards,

Mick

-3
Login to vote
Mick2009's picture

This article will be of interest, though it deals with an old Android 1.6.  (SMS 7.2 works on 2.2 and above.  I will test to ensure that our current products catch the safebot in question!)

The Potential for Data Loss from “Security Protected” Smartphones
https://www-secure.symantec.com/connect/articles/potential-data-loss-security-protected-smartphones
 

With thanks and best regards,

Mick

-1
Login to vote
Mick2009's picture

New SMS 7.2 article!  &: )

About Windows Mobile in Symantec Mobile Security 7.2

https://www-secure.symantec.com/connect/articles/about-windows-mobile-symantec-mobile-security-72

With thanks and best regards,

Mick

-1
Login to vote
Mick2009's picture

Hi all,

There is now a fourth article in this SMS 7.2 series.....

Upgrading Mobile Security Gateways for Symantec Mobile Security 7.2
https://www-secure.symantec.com/connect/articles/upgrading-mobile-security-gateways-symantec-mobile-security-72

With thanks and best regards,

Mick

-3
Login to vote