(Baddies) Party Like It's 1999
In the 1990's, I remember working on large offices full of computers where only the odd server had any AntiVirus installed at all. Those were the relatively early days before users were well educated about security matters. We all learned fast when the networks fell victim to that era's series of viruses and worms.
Today, it seems that there is a smartphone in every pocket. These Androids have more storage and processing power that those desktop machines of the 90's, far better networking capabilities and usually much more personal information on them than an office computer. While the people carrying those phones have learned to keep their desktops, servers and laptops protected, most are still walking around without any AV or firewall on their powerful mobile computers. It's no surprise that every day the bad guys develop new threats that target the Android OS, and there have already been enormous Android botnets discovered.
Symantec sponsors mobilesecurity.com with information and educational resources that can help raise awareness of these current threats. Symantec also offers two products designed to keep those Android phones, tablets and other devices secure: here's an article with details on which is best suited to an individual or company's need:
Comparing Symantec Mobile Security 7.2 and Norton Mobile Security
Deploying the large-scale enterprise product, Symantec Mobile Security 7.2, is not as straightforward as mailing every cell phone the .apk (Android installer file) and instructing owners to run it.
- A management server needs to be set up first, and then
- the Android clients use their browser to connect to that Symantec Management Platform and download the .apk.
- Protection is only enabled once that .apk is installed and the Mobile Security client app is enrolled with the server.
This illustrated article walks admins through how to set up Symantec Mobile Security 7.2 (SMS 7.2) on the server and then on the phone. This is a process which some admins can find confusing and time consuming: hopefully the example walk-through below will ease admins over any pain points.
Know Before You Go
Here is a link to the official documentation: read these and keep them on hand! This Connect article is a a quick illustration, not a comprehensive install guide.
Symantec Mobile Security 7.2 Quick-start Guide
Symantec Mobile Security 7.2 Implementation Guide
These Release Notes also contain important information:
Symantec™ Mobile Security 7.2 Release Notes
Be sure the server that will be the Symantec Management Platform 7.1 SP2 (formally known as Altiris ITMS) meets all the system requirements before beginning your install. It does require a capable server: guaranteed, there will be poor performance and errors if the server chosen is an old machine already in use by several other server programs, or if a small and underpowered VMWare image is used. Ensure you have:
- 4 GB RAM minimum
- 5 GB free Hard Drive (minimum)
- Microsoft Windows Server 2008 x64 R2
- Microsoft SQL Server 2005 (SP2/SP3/SP4) or Microsoft SQL Server 2008 (SP1/SP2/R2/R2,SP1). SQL Server Express will do for testing and for installations serving less than 500 devices.
- Microsoft .NET Framework 3.5
- Microsoft Silverlight 3.x, 4.x, 5
- Microsoft IIS 7.5 (IIS 6.0 compatibility)
- Internet Explorer 7,8, or 9
- JRE 6 or higher
(See below for a couple additional recommendations about the SMP, too.)
SMS 7.2 can defend Androids with version 2.2 and above. It can also protect older Windows Mobile 5 through 6.5 devices.
Know Before You Go, Part 2
Right from the very start: give some thought to your architecture and Disaster Recovery.
- Is it best to put the MS SQL database on the same server as your Symantec Management Platform (SMP), or to connect to a remote MS SQL server?
- What backup software is in use in your enterprise? Is the server you have chosen to be your SMP one that can be backed up entirely? Backing up just the database using MS SQL's built-in tools won't be enough.
- Is there a spare server of similar hardware / specifications which can be used in case the SMP is lost and needs to be rebuilt?
The earlier you plan ahead in case of disaster, the quicker you'll be able to recover in case of catestrophic failure. See the following article for some important considerations:
Disaster Recovery Advice for Symantec Mobile Security 7.2 and Symantec Mobile Management 7.2
OK, I Know Now. Let's Go!
If you already have Symantc Installation Manager (SIM) and an Altiris/Symantec Management Platform (SMP) server set up, installation is easy! SMS 7.2 SP1 can be deployed right from the Symantec Installation Manager (SIM).
If not, the SIM can be downloaded from fileconnect (go to https://fileconnect.symantec.com and use your Serial Number). The SIM is the file named “Symantec_Mobile_Security_7.2_SMP-SIM_IE.exe” – install it! SIM will be the tool used to install SMS 7.2 (and the SMP necessary to manage it).
(You may also download from go.symantec.com/Get_Mobile_Security using your Symantec account.)
In the Symantec Installation Manager, place a check next to Symantec Mobile Security MR1. SIM will automatically add any other dependent products that are needed (including Altiris/Notification Server/Symantec Management Platform.)
There will be some readiness checks run. If the server is not up to standard or lacks a necessary component, details will be provided. It is very important that all requirements are met here at the beginning.
As promised above, I would also like to add three necessities that are not on that list:
- A fixed IP address. To save no end of headaches later, your Symantec Management Platform server absolutely needs a fixed IP. If the server IP address changes after installation and deployment of the Mobile Security app to the clients, it's very difficult for the Android phones (and Windows Mobile devices, too) to be configured to communicate with a new address.
- The latest Java. There have been many Java vulnerabilities (and threats which exploit them) discovered in recent months. Be sure your SMP server is running a release that is recent and patched against these threats.
- FQDN. Failure to resolve the address of the server would prevent the Android clients from reporting back in to get new policies, report events, etc. Make sure that the SMP is set up with a Full Qualified Domain Name so that Android clients can resolve the name of the server easily into an IP.
Several screens worth of configuration information will be required. Here is how I (successfully) filled these out for a new server called MICKSMS72 which is in an Active Directory domain.
Once everything is entered correctly and SIM has downloaded and verified all the necessary files, you are ready to roll! Confirm all details are correct and then Begin install.
Installation can take a while (especially if no SMP was already installed). Here's an install in progress....
Once it is successfully installed, you will see your products listed in SIM. (Yes, there are two entries for Symantec Mobile Security. That is normal and correct.)
Fun with the Symantec Management Console
Now, time to go have a look at the Symantec Management Console! It is the place to go to create polices, view reports and logs, carry out actions like removely blaring an alarm from a stolen Android....
The SMC is a web-based admin interface. It can be run from the SMP server from the start menu (Start, Programs, Symantec, ) or from any Internet Explorer web browser which can access the SMP machine: http://[IP of SMP server]/Altiris/Console. A login credentials pop-up will deliver a "401- Unauthorized" to keep out anyone who should not be accessing these components.
|Keep those login credentials secure. There are very powerful actions that can be initiated from the console (locking or completely wiping Android phones) and much sensitive information that can potentially be viewed there (geographical location of phones, lists of files scanned and URLs of websites visited). For sake of security and privacy, it is vital that only selected, approved admins have access to the console.|
Once logged in, click Home > MobileSecurity and then in the left pane, select Settings. Make sure that the Mobile Security Gateway installed on the SMP is Active.
Here's an article with more information about MSG:
Recommendations for Configuring a Healthy Mobile Security Gateway for Symantec Mobile Security 7.2
Who Goes There?
Next, ensure that your SMP is configured to allow the Android phone owners to be able to enroll themselves! There are a couple of ways to do this (see the Quick Start Guide for full details) but I generally configure SMP to recognize the users already present in my Active Diretcory domain. (I have created a Group called androidusers in Active Directory Users and Computers. Any users approved to have SMS 7.2 on their Android is added there.)
- On the console, go to Home > Mobile Security > Settings > Android Configuration.
- Under Device Enrollment > Device authentication, select "Use Active/LDAP authentication"
- Supply valid information for your AD Domain Controller(s) or other LDAP server.
Enough Backstory. Get Some Androids on Screen!
Now it is time to download, install and enroll the Mobile Security client app on the Android. Open the browser on the Android and enter in http://[IP of SMP server]/MobileSecurityDeployment/AndroidInstall.aspx. A MobileSecurity.apk package will be downloaded.
Click through the install of that downloaded app... I won't illustrate it here because it's pretty straightforward.
Launch the MobileSecurity app and the user is prompted to Enroll. A couple of tricky points:
- When it is asking for Server, the app is asking for the Management Server Gateway. Be sure to use port 443, not the port 80 used for downloading the app!
- The most common cause for failed enrollments is that the user is not one that the SMP knows about. Be sure to be specifying a user who was configured in Android Configuration, Device Enrollment.
- If that is an Active Directory domain user, type in domain \ username
- The second most common cause for failure is fat fingers. &: ) Be sure that passwords are typed correctly!
Here's a successful enrollment:
Once that is done, the Android device appears in the SMC and the client app's GUI is enabled. Here a scan has detected the eicar test file.....
...And here is our friend androidguy1 in the SMC.
License and Registration, Please
Generally, there’s no need to license SMS 7.2 from the beginning. When installed, it automatically has a 30-day trial license which offers full functionality. After that 30 day period is when the product will need to have the license applied. Here’s an article which has some additional details:
Licensing Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH201488
Any Last Words?
Remember: this is just a brief overview of the installation process for SMS 7.2. Full details are in the guides, above, and Symantec has created hundreds of knowledgebase articles should anything go wrong with the Symantec Management Platform. A quick search should get you back on your way. If you get stuck, peers in the Connect Forum can help or you can call on professional assistance from Technical Support.
If setting up the SMP server seems like a lot of work, remember: it's something that generally only has to be done once. &: ) Once the SMP is in place, it is an easy process to set up additional MSG's, create advanced architectures, deploy policies and so on.
So: time to live life to the fullest in the 21st century! Please do give Symantec Mobile Security 7.2 a try, and get those Androids protected!
Please do leave comments below to provide feedback on how your own install went, and highlight any tips you have discovered that other admins may find useful.