Centri Fy for Samsung Knox 3

8/12/2019 Centri Fy for Samsung Knox 3

1/42

Centrify for Samsung KNOX

Administrators Guide

October 2013

Centrify Corporation


2/42

Legal notice

This document and the software described in this document are furnished under and are subject to the terms of alicense agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement ornon-disclosure agreement, Centrify Corporation provides this document and the software described in thisdocument as is without warranty of any kind, either express or implied, including, but not limited to, theimplied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers ofexpress or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the priorwritten permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forthin such license agreement or non-disclosure agreement, no part of this document or the software described in thisdocument may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Somecompanies, names, and data in this document are used for illustration purposes and may not represent realcompanies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to theinformation herein. These changes may be incorporated in new editions of this document. Centrify Corporationmay make improvements in or changes to the software described in this document at any time.

2004-2013 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derivedfrom third party or open source software. Copyright and legal notices for these sources are listed separately in theAcknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of theU.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (fornon-DOD acquisitions), the governments rights in the software and documentation, including its rights to use,modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in allrespects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize andDirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft,Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarksof Microsoft Corporation in the United States and other countries.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

The names of any other companies and products mentioned in this document may be the trademarks or registeredtrademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,organizations, domain names, people and events herein are fictitious. No association with any real company,organization, domain name, person, or event is intended or should be inferred.


3/42

3

ContentsAbout this guide 6Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Guide conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Contacting Centrify Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1 Introduction to Centrify for Samsung KNOX 8What is Centrify for Samsung KNOX? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Benefits of Centrify for Samsung KNOX for your organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Using Centrify for Samsung KNOX on mobile devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Accessing web-based single sign-on applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Accessing native mobile applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using the MyCentrify web-based user portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Administering Centrify for Samsung KNOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Using Centrify for Samsung KNOX administrator tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Providing Centrify for Samsung KNOX to your users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Setting up SSO for Centrify for Samsung KNOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Setting up Centrify for Samsung KNOX MCM and MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Installing and configuring Centrify for Samsung KNOX 21Specifying the right to modify permissions in Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installing the Centrify cloud proxy server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring the cloud proxy server for MDM and MCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Completing the Cloud Proxy Server Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring the Centrify cloud service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Enrolling the mobile device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating the KNOX Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Installing Centrify for KNOX from Samsung KNOX Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Preparing a device that uses MDM/MCM from another vendor. . . . . . . . . . . . . . . . . . . . . . . . 30

Preparing a device that uses Centrify for Samsung KNOX for MDM/MCM . . . . . . . . . . . . . . 30


4/42

Centrify for Samsung KNOX Administrators Guide 4

Installing Centrify for KNOX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 3 Configuring the Centrify cloud service and managing devices 34Configuring the Centrify cloud service for single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Deploying applications from Cloud Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Selecting web applications using MyCentrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Deploying mobile applications that use SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring the Centrify cloud service for MDM/MCM settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Managing mobile devices and Knox containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Sending commands to devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Generating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Self-service management with MyCentrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41


5/42

5


6/42

6

About this guideThis book provides the information you need in order to understand, install, and configureCentrify for Samsung KNOX. Centrify for Samsung KNOX is a mobile device, mobileapplication, and mobile container management solution that uses the Centrify cloud serviceto secure communications between devices, the Active Directory directory service, andadministrator tools.

Intended audienceThis guide contains information for system and network administrators who are responsiblefor managing access to network resources, particularly access to internal network resourcesfrom outside mobile devices or access to outside web services provided by otherorganizations.

These administrators should know how to use Microsoft Windows tools, especially thesecomponents: Active Directory Users and Computers and Group Policy Management Editor.

Guide conventionsThis guide uses the following conventions:

Fixed-width fontpresents sample code, program names or output, file names, andcommands that you type at the command line. When italicized, the fixed-width fontindicates variables.

Boldtext emphasizes commands, buttons, or user interface text, and introduces newterms.

Italicspresent book titles and emphasize specific words or terms.

Terms enclosed in [braces] in command syntax are optional.

Where to go for more informationFor the full documentation on Centrify for Samsung KNOX software, group policy, and cloudservice configuration possible with Centrify for Samsung KNOX, see the followingdocumentation:

Release Notesincluded on the distribution media or in the download package provide themost up-to-date information about the current release, including system requirements and


7/42

Contacting Centrify Corporation

About this guide 7

supported platforms, and any additional information, specific to this release, that may notbe included in other documentation.

Cloud Manager help provides task-oriented information for administrators who need tomodify applications, manage roles and users, and configure settings in the Cloud Manager.

To open, click Help from the user account drop-down list in the Cloud Manageradministrator web portal

MyCentrify helpprovides task-oriented information for users to navigate and launch theirdeployed applications, view their activity, manage their own mobile devices, and specifysome Active Directory settings. To open, click Help from the user account drop-down listin the MyCentrify user web portal.

Application configuration helpprovides specific details for configuring each kind ofapplication that Centrify provides, including individual SaaS applications for SSO, user-password applications, and mobile applications. To open, click the Help link from anapplication in the App Catalog.

The Centrify User Suite Overview, Installation, and Configuration Guide provides more in-depthexplanations of the installation procedures and the group policies.

Contacting Centrify CorporationIf you have questions or comments, we look forward to hearing from you. For informationabout contacting Centrify Corporation, visit our website at www.centrify.com. From thewebsite you can get the latest news and information about products, support, services,upcoming events, investor relations, and sales.
http://www.centrify.com/default.asphttp://www.centrify.com/default.asp


8/42

8

Chapter 1

Introduction to Centrify for Samsung KNOXCentrify for Samsung KNOX delivers Active Directory-based single sign-on (SSO), mobilecontainer management (MCM), and mobile device management (MDM) for SamsungKNOX-enabled devices and is available as standard features with the KNOX platform.

End users enjoy the improved productivity benefits of Zero Sign-On access to rich mobileapps and cloud-based SaaS apps while IT administrators can easily manage KNOXcontainers and the underlying devices using an infrastructure they already own ActiveDirectory.

Samsung KNOX is an Android-based solution provides for platform security, applicationsecurity, and mobile device management.

Centrify for Samsung KNOX is available on the Centrify website to any organization thatuses Samsung KNOX and has a Samsung KNOX license key and has users of Samsungmobile devices that are KNOX-capable (devices that can have KNOX containers in whichwork applications are kept separate and secure).

This book covers the essentials for setting up and configuring Centrify for Samsung KNOX.

Note If you want to use Centrify with non-Samsung KNOX mobile devices in addition toSamsung KNOX devices, you need to upgrade to the Centrify User Suite. For moreinformation, go to http://www.centrify.com/products/centrify-user-suite.asp .
http://www.centrify.com/products/centrify-user-suite.asphttp://www.centrify.com/products/centrify-user-suite.asp


9/42


10/42


11/42


12/42

Using Centrify for Samsung KNOX on mobile devices


mobile applications are assigned to that user. The trust provides the user with single sign-onaccess to the assigned applications.

Users can access two different kinds of applications inside of the KNOX container: webapplications and mobile applications.

Accessing web based single sign on applicationsBoth you and your users can set up web applications for use inside of the Samsung KNOXcontainer. You add and deploy web applications using Cloud Manager, and users can addapplications using MyCentrify.

To access their web applications within the KNOX container, users open their KNOXcontainer, enter their KNOX container password, touch the Centrify for KNOXapplication, and then touch to open a Centrify web application. Only the web applicationsthat you have assigned to them display in the Centrify for KNOX application. The webapplications open in the mobile browser inside the KNOX container.

Centrify for Samsung KNOX handles the SSO by way of a KNOX SSO service that runs inthe background of the KNOX container and connects to the Centrify cloud service.


13/42

Using Centrify for Samsung KNOX on mobile devices

Chapter 1 Introduction to Centrify for Samsung KNOX 13

Accessing native mobile applicationsUsers can access mobile applications that are native to the Android operating system andthat run inside the secure Samsung KNOX container. You deploy these mobile applicationsto users or have your users download and install some applications themselves from the

KNOX Apps Store.

You can also deploy native mobile applications that run inside the Samsung KNOXcontainer that are configured for SSO inside the container.

To access these mobile container applications, users can open their KNOX container, entertheir KNOX container password, and then touch one of the applications listed. The mobileapplication opens inside the KNOX container. If the application is configured for SSO, theuser doesnt have to log in to the application directly, because the authentication is handledby the KNOX SSO service that runs in the background in the KNOX container.


14/42

Using the MyCentrify web-based user portal


Using the MyCentrify web based user portalYour users log in to MyCentrify to access the web applications that youve assigned to them.They can also monitor their application and device activity, and do self-service management

of some of their personal Active Directory properties.

Users can add applications that require a user name and password, and applications that usea bookmark by going to the MyApps page and clicking Get More Apps. These webapplications display on the MyApps page in the MyCentrify web portal and also in theCentrify for KNOX mobile application.

Administering Centrify for Samsung KNOXUsing Centrify for Samsung KNOX, you can specify which applications are allowed in

users Samsung KNOX containers, avoid time-consuming work related to forgotten usercredentials for applications, and make sure your organizations data remains secure. You canalso manage mobile devices and users KNOX containers.


15/42


16/42

Administering Centrify for Samsung KNOX


With the Centrify for Samsung KNOX Active Directory Users and Computers (ADUC)extension, you can perform management tasks for devices, call logs, and Samsung KNOXcontainers.

You use the Cloud Proxy Server Configuration tool to manage the cloud proxy server andits connection between your Active Directory and the Centrify cloud service.


17/42



Providing Centrify for Samsung KNOX to your usersFor the full user experience (and the broadest management capability for you), your usersneed two Centrify mobile applications. You can download the applications, upload theminto Cloud Manager, and deploy them to your users. Alternatively, your users can downloadthem directly from Google Play and the Samsung KNOX Apps Store:

Centrify application for Android: Available from Google Play.

With this application, which is installed the mobile device, users enroll their devices inthe Centrify cloud service, which provides connection to Active Directory and in turninstalls the group policies that manage and protect the device. As part of enrollment, theCentrify cloud service can create a Samsung KNOX container on each enrolled device.

Centrify for KNOX application: Available from the Samsung KNOX Apps Store.

With this application, which is installed in the Samsung KNOX container, your users login to this application and get single sign-on access to the web and mobile applications thatyou deploy to their Samsung KNOX container.

If youre using Centrify for Samsung KNOX for SSO only and not for MDM/MCM (forcreating and managing the container and managing the devices), your users need just the

Centrify for KNOX application.


18/42



For access to the MyCentrify user web portal, you provide your users the MyCentrify URLand the information they need to log in.

Setting up SSO for Centrify for Samsung KNOXCentrifys Samsung KNOX SSO service is built into every Samsung KNOX container. The

service does, however, need to be enabled by the MDM provider managing the KNOXcontainer. When configuring Centrify for Samsung KNOX for SSO, you install the proxyserver, and then use Cloud Manager to deploy applications to your users.

To provide a web application to your users, you open Cloud Manager to the Apps page andclick Add App. The App Catalog opens, and you can select the applications that you want toadd. For each application that you select, you configure some general application settingsand then assign roles to the application. The application is deployed (made available tousers MyCentrify) when you save your changes to the both the application settings and roleassignments.

In addition to deploying the web applications, you also deploy the Centrify for KNOXmobile container application so that users can access the web applications from inside theKNOX container.


19/42



You can deploy SAML applications or applications that use just a user name and passwordfor authenticationor even a simple bookmark of an application URL.

The process of deploying mobile applications is similar to deploying web applications. Youprovide either the custom APK binary file or the package name of the application in GooglePlay or the KNOX Apps Store. For mobile applications that are configured for SSO insidethe KNOX container, you also deploy a matching web SAML application to provide the SSO

functionality for the mobile application (because SAML authentication is needed for SSOand mobile applications dont use SAML directly).

Setting up Centrify for Samsung KNOX MCM and MDMWhen using Centrify for Samsung KNOX for MCM and MDM, you install the Centrifycloud proxy server and the ADUC and GPME extensions. You then deploy the Centrifymobile application. (If youre also using SSO, you also deploy the Centrify for KNOXmobile application).

You provide mobile applications similarly to how you provide web applications. You provideeither the custom APK binary file or the package name for the application in Google Play.

To provide a mobile application to your users, you open Cloud Manager to the Apps pageand click Add App. The App Catalog opens, and you can select the applications that youwant to add. For each application that you select, you then specify the application packagename (or the custom APK file) and then assign roles to the application. The applicationdeploys (is made available in MyCentrify) to users when you save your changes to the boththe application settings and role assignments.


20/42


21/42


22/42

Specifying the right to modify permissions in Active Directory


Specifying the right to modify permissions in Active DirectoryTo install and administer the Centrify cloud proxy server, the user account you use to installthe software must have the Modify Permissions right in Active Directory. You enable this

right in Active Directory Users and Computers, in Advanced Features.

To specify the right to modify permissions to an Active Directory user or group:

1 In Active Directory Users and Computers, make sure that you have Advanced Featuresenabled (View> Advanced Features).

2 Open the properties for the user or group to which you want to give the right to modifypermissions, and click the Securitytab.

3 In the Security tab, click Advanced.4 In the Advanced Security Settings dialog box, click Add.5 Enter the name of the user account that you will use to install the cloud proxy server, and

click OK.

6 In the Permission entry dialog box, click Allowfor Modify Permissions and click OK.The Permissions tab of the Advanced Security Settings dialog box lists the user or groupto which you have given the right to modify permissions.

The Samsung KNOX license key

and licenses for mobile devices

You need one license key per Centrify cloud service account in order to implement

the Centrify for Samsung KNOX solution and a license for each mobile device you

want to enroll.

If you don't have the license key and licenses yet, contact Samsung or your mobileservice provider.

A supported browser You and your users need to be able to access the web portals that help you

manage devices and applications (Cloud Manager for you and MyCentrify for

users).

The Cloud Manager and MyCentrify web portals for this version of Centrify for

Samsung KNOX have been confirmed for use on the following web browsers:

Internet Explorer: version 9 and 10 on Windows 7 and Windows 2008R2 server

Mozilla Firefox: version 23 and later

Google Chrome: version 28 and later

Apple Safari: version 6

A Google Play account You and your users need to have Google Play accounts so that they can download

the free Centrify cloud service application to their devices.

A Samsung account Your users need accounts to be able to download the free Centrify for KNOX

application from the Samsung KNOX Apps store.

If you do not already have an account, you can create one just before you install

Centrify for KNOX.

Requirement Description


23/42

Installing the Centrify cloud proxy server

Chapter 2 Installing and configuring Centrify for Samsung KNOX 23

7 In the Advanced Security Settings dialog box, click OK.8 In the Properties dialog box, click OK.

Installing the Centrify cloud proxy serverYou use the Cloud Management Suite installer to install the Centrify cloud proxy serverand, optionally, the Active Directory and Group Policy Management Editor consoleextensions.

The procedures in this section describe how to install the cloud proxy server, activate theserver, and configure the proxy server for MDM/MCM and SSO.

To install the cloud proxy server:

1 On your Windows computer, run the installation program in the Centrify Cloud ProxyServer Installer zip file appropriate for your system:

Cloud-Mgmt-Suite--

win32.exefor 32-bit Windows or Cloud-Mgmt-Suite--win64.exefor 64-bit Windows.

If Microsoft .NET version 4.0 or later is not already installed on your computer, theinstaller installs it for you. Restart your computer after .NET installation and then youcan continue the installation of the Cloud Management Suite.

2 Click Nexton the welcome screen. Then, indicate your agreement to the licensing termsand conditions in the check box and click Next.

3 In the Custom Setup dialog box, select the items to install.The components you install depend upon whether you are using Centrify for SamsungKNOX for SSO alone or for MDM/MCM, with or without SSO.

If you are using Centrify for Samsung KNOX as your MDM and MCM solution, selectall of the components (the default) for installation.

If you are using another vendors MDM and MCM solution, deselect the Centrify forMobile Tools option (circled in the picture).


24/42

Installing the Centrify cloud proxy server


4 You can click Browseto specify a different installation location.Click Next.

5 In the Ready to Install Cloud Management Suite page, click Installto perform theinstallation.6 When the installation completes, keep Run Connection Test selected and clickFinish.

A connection test runs to verify that your server is connected properly for the proxyserver to run. If any errors are returned, you must fix them before continuing.

7 Click Closeto close the Connection Test dialog box, then the Cloud Proxy ServerConfiguration Wizard launches.

To activate the cloud proxy server:

1 In the Cloud Proxy Server Configuration Wizard Welcome page, click Next.2 In the Proxy Configuration page, enter your one-time activation code in the Registrationcode field and click Next.

3 In the Web Proxy Configuration page, if your network has a web proxy server that youwant to use for the connection to the Centrify cloud service, select the Use a webproxy server... option.

If you do not have a web proxy server, click Nextwithout selecting the option; the cloudproxy server wont connect through the web proxy server.

If you selected the web proxy option, enter the following information:

AddressThe URL of the web proxy server.

PortThe port number to use to connect to the web proxy server.

4 Click Nextto continue.


25/42


26/42

Configuring the Centrify cloud service


To configure the cloud proxy server:

1 In the Configuring Mobile use window, click Nextto accept the default Users andComputers containers.

2Click OKwhen finished.3 Click Next.

Completing the Cloud Proxy Server Configuration WizardThe Starting Cloud Proxy Server dialog box appears while the wizard registers the proxywith the Centrify cloud service and starts the proxy. When setup and startup is complete,the Setup Completed dialog box appears.

Click Finishto exit the wizard.

The cloud proxy server is now installed and running. The Centrify cloud proxy server

configuration program starts automatically, however, no further configuration is required.Click Closeto exit it.

If you are using Centrify for Samsung KNOX for SSO only, go to Installing Centrify forKNOX from Samsung KNOX Apps on page 30, skipping the remaining configuring theCentrify cloud service, enrolling device, and creating container sections.

If you are using Centrify for Samsung KNOX for MDM and MCM, continue through theremainder of this chapter.

Configuring the Centrify cloud serviceBefore you can create a KNOX container, you need to enter your Samsung KNOX licensekey. You do this in Cloud Manager.

To enter your Samsung KNOX license key:

1 Open Cloud Manager.Open a browser and enter the URL https: cloud centrify com manage.

2 Log in.Cloud Manager prompts you for a user name and password. Enter your full ActiveDirectory login name, including UPN suffix (for example, [email protected]) and

password.

Cloud Manager displays the Apps page. This page is blank until you deploy applications.

3 Select the Settingspage.4 Under Settings, select Samsung KNOX Settings.


27/42

Enrolling the mobile device


5 Click the Samsung KNOX License Keyfield and enter the license key.6 Click Save.

Enrolling the mobile deviceIn this procedure, you install the Centrify application on your KNOX-capable device andenroll the device.

After you enroll the device, the Centrify cloud service adds it to the Cloud ManagerDevices page.

To begin, turn on and log in to your device and open the Play Store.

To install Centrify from Google Play:

1 Select the Search icon, enter Centrify.2 Touch Centrifyto display the application details.3 Touch the Installbutton.4 Scroll through and read the Privacy and Device Access terms under Do you want to

install this application? and touch Install.

This initiates the installation process. When its complete the screen displays,Application Installed.

5 Touch Open to proceed with enrolling your device.6 Enter your user name and password.

Enter your full Active Directory login name, including UPN suffix (for example,[email protected]) and password.

7 Centrify displays the screen, Active Device Administrator?8 Read through the text and touch Activate.

Centrify displays its Privacy policy

9 Read through the text and touch the check box to confirm I acknowledge that I have readand understood, and I agree to, all of the terms and conditions above and then touchConfirm.

After you enroll the device, Centrify continues in the background to load applicationsdeployed to the device and install group policies. This may take a minute or two.


28/42

Creating the KNOX Container


Creating the KNOX ContainerOnly the device owner can create the KNOX container. However, you must first enable thedevice to let the user create the KNOX container. There are two ways you can enable the

device to let the user create the KNOX container: You can enable a group policy that lets users create the KNOX container as soon as they

enroll the device.

You can send the Create container command from Cloud Manager that lets the usercreate the KNOX container as soon as the command is received on the device.

After the device is enabled, the device owner uses the Centrify application running on thephone to create the KNOX container.

In this procedure, you send the Create container command from Cloud Manager. In thesubsequent procedure, you create the KNOX container from the device.

To enable the user to create a KNOX container:

1 If Cloud Manager is not open, enter the URL https://cloud.centrify.com/manageinyour browser and log in using your Active Directory credentials.

2 Select the Devicespage.3 Select the device.4 Click the Container Management drop-down list and select Create Container.

Cloud Manager sends the command immediately to the device. The create messageappears briefly in the Navigation tray in the device.

To create the container:

1 If the Centrify mobile application is not open on your device, open Apps and touchCentrify.

2 Touch the Setuptab.3 Under SETUP REQUIRED, touch Create KNOX container.


29/42

Creating the KNOX Container


The Centrify app displays the Privacy policy screen.

4 Read through the text and touch the check box to confirm that this statement is true: Iacknowledge that I have read and understood, and I agree to, all of the terms andconditions above; then touch Confirm.

This initiates downloading the KNOX container software. This can take a minute or two.

When the download is complete, Centrify displays the KNOX container Terms andconditions and Privacy Policy screen

5 Read through the Terms and conditions and Privacy Policy, select I accept all theterms above, and touch Next.

6 Enter the KNOX container password you want to use, enter it again, and touch Next.This initiates KNOX container creation. KNOX container creation takes a minute or soto complete.

7 Touch Launch.The Centrify cloud service confirms that you have a license available.

8 Enter your password and touch Done.You are now inside the KNOX container.

The applications shown in the container are different from the applications displayed onyour home screens. You manage applications that appear outside and inside the containerfor example, Email, Phone, and Contactsseparately. For example, you can configure theEmail application inside the KNOX container and outside the KNOX container for differentaccounts.

You can install additional mobile applications inside the container from the Samsung KNOXApps store. You can also deploy web applications and wrapped mobile applications to theKNOX container using Cloud Manager.

There are two icons you use to enter and exit the Samsung KNOX container.

To enter the container from your home screen, touch this icon.

This icon is added to your Apps catalog when you create the container.You can also enter the container by dragging down on the devices notification bar andtouching Samsung KNOX Tap to Start.


30/42

Installing Centrify for KNOX from Samsung KNOX Apps


To exit the container you touch this icon.

Installing Centrify for KNOX from Samsung KNOX AppsCentrify for KNOX is a mobile application that users install inside the KNOX container.They use it to open the web applications you assign to them. This lets users open the SaaSapplications they use for workfor example, Salesforce or Dropboxfrom within thecontainer.

Web applications can be assigned to Centrify for KNOX in ways:

An applications administrator can assign them using Cloud Manager.

The Centrify cloud service has hundreds of web applications preconfigured for immediateassignment. To see the catalog, open the Cloud Manager Apps page and click Add Apps.

Users can add their own web applications.

See MyCentrify help for the details.

Centrify for KNOX provides SSO authentication for all web applications. Users just log inonce. After that, Centrify for KNOX safely stores the credentials for that application andsilently authenticates the user in subsequent log ins.

Before you can install Centrify for KNOX in the container, Centrify for KNOX must beadded to a whitelist of applications allowed to use the Samsung KNOX containers SSO

feature. How you configure the device depends upon whether you are using Centrify forSamsung KNOX or another vendor for MDM/MCM.

Preparing a device that uses MDM/MCM from another vendorIf your device uses another vendors product for MDM/MCM, confirm that the KNOXcontainer has already been created and the Samsung KNOX SSO feature has been enabledbefore installing Centrify for KNOX.

The Samsung KNOX SSO feature on the device requires the application vendor to specifythe package name for any mobile application that wants to use the SSO interface. DifferentMCM vendors use different methods to specify the application. When your MCM providerprompts you to specify Centrify for KNOX, use the following as the package name:com.centrify.sso.myapps

Preparing a device that uses Centrify for Samsung KNOX for MDM/MCMThe Centrify cloud service automatically enables the Samsung KNOX SSO feature,however, you must add Centrify for KNOX to the whitelist of applications allowed to use it.


31/42



To enable Centrify for KNOX to use the Samsung KNOX SSO feature, you enable a grouppolicy and add Centrify for KNOX to a whitelist. To enable the group policy you use theGroup Policy Management Editor. The following procedures describe how to enable theSSO whitelist group policy, add the Centrify for KNOX application to the whitelist, and

update the device with the new policy setting.To enable the Application SSO whitelist policy and add Centrify for KNOX:

1 Open the Group Policy Management Editor and select for editing the group policy objectyou have linked to the organization unit with your Samsung KNOX device.

If you used the default user group and device container setting when you installed theCentrify cloud proxy server (the Active Directory Users group and Computerscontainer), the group policy object is Default Domain Policy.

2 Expand Computer Configuration > Policies > Centrify Cloud ManagementSettings to Samsung KNOX Settings > Application Management.

3 Double-click Application SSO whitelist.4 Click Enabledand the Addbutton.5 Enter the following in the Application: field and click OK.

com.centrify.sso.myapps

(You enter the applications package name rather than the application name.)

6 Click OKto exit the dialog box.To update the group policy on the device:

1 Open Active Directory Users and Computers.2 Select the container you selected for mobile devices. (If you used the default user group

and device container setting when you installed the Centrify cloud proxy server, thedefault container is Computers.)

3 Right-click the device you enrolled and select All Tasks > Device Management >Update Policies.


32/42


33/42



deployed. If you are using another MDM/MCM provider, Centrify for KNOX promptsyou to enter your Active Directory credentials and then displays the list of webapplications. At this point, however, no web applications have been deployed.


34/42

34

Chapter 3

Configuring the Centrify cloud service andmanaging devicesIn the previous chapter you installed the core Centrify for Samsung KNOX components,enrolled a mobile device, and created a KNOX container. During the installation andconfiguration process, you were introduced to Cloud Manager and the Active Directorytools you use to configure the Centrify cloud service and manage devices. This chapterdescribes the additional procedures you perform to configure Centrify for Samsung KNOXfor SSO and MDM/MCM for organization-wide deployment. This chapter also introducesthe administrator and end-user device-management interfaces.

Configuring the Centrify cloud service for single sign-on on page 34

Configuring the Centrify cloud service for MDM/MCM settings on page 37

Managing mobile devices and Knox containers on page 38

Self-service management with MyCentrify on page 41

Configuring the Centrify cloud service for single sign onWhen you use Centrify for Samsung KNOX for SSO you use the Centrify cloud service todeploy web applications to users. The users can launch the web applications from theirMyCentrify web portal and from the Centrify for KNOX mobile application they installedin their KNOX Container.

You configure the Centrify cloud service for SSO using the following procedures: Deploying applications from Cloud Manager on page 34

Selecting web applications using MyCentrify on page 36

Deploying mobile applications that use SSO on page 36

Deploying applications from Cloud ManagerYou use Cloud Manager to deploy web applications to MyCentrify and Centrify for KNOX.The following table summarizes the Cloud Manager configuration tasks you perform todeploy web applications.


35/42

Configuring the Centrify cloud service for single sign-on

Chapter 3 Configuring the Centrify cloud service and managing devices 35

See Cloud Manager help for further details. To open Cloud Manager help, enter the URLhttps://cloud.centrify.com/managein your browser, log in, and click Help in the user

account drop-down list (circled in the picture).

Example: Deploying a web application to sysadminThe first step in web application deployment is defining the roles to which you will assignthe web applications. When you open Cloud Manager and select the Roles page, there aretwo default roles:

sysadmin: Users in this role have full Centrify cloud service administrator policies. YourActive Directory account was automatically added to this account when you installed theproxy server.

Everybody: Applications assigned to this role are deployed to all cloud users.

To assign the Dropbox - Web User Password application to the sysadmin account, performthe steps in the next procedure. This example skips the first two web applicationdeployment tasks because it uses the existing sysadmin role in which you are already amember.

To deploy a web application to the sysadmin role:

1 Open Cloud Manager and select the Appspage.

Task How to perform the taskCreate a role 1 Open Cloud Manager.

2 Select the Rolespage.3 Click Add Role.

Add users to the role 1 On the Roles page, click the role you just created.2 Click the Members Editbutton.3 Specify the user or group name and drag to Selected.

Assign applications to the role You can add one or more applications at once.

1 Click the Editbutton above the list of Assigned Applications.2 Select the application, drag it the Selectedbox, and click OK.


36/42

Configuring the Centrify cloud service for single sign-on


2 Click Add App.3 Click the search box and enter drop.4 Select the Dropbox Web - User Passwordapplication and click Add App.

Cloud Manager displays the Dropbox configuration window.

5 Select the User Accesscategory, select sysadmin, and click Save.6 Select MyCentrifyfrom the account drop-down list.

Within a couple of seconds, Dropbox is displayed on the MyApps page.

7 On your mobile device, open the KNOX container and open Centrify for KNOX.Dropbox is displayed. Open Dropbox if you have an account to log in to. If you do nothave an account, delete Dropbox from the container.

Selecting web applications using MyCentrifyUsers can also add web user password applications to MyCentrify and Centrify for KNOX.They use the Get More Apps button on the MyApps page in MyCentrify. See MyCentrifyhelp for more details about how to add applications through MyCentrify.

Deploying mobile applications that use SSOIf you are using Centrify for Samsung KNOX for MDM/MCM, you can deploy mobileapplications that use the Samsung KNOX SSO capability to the KNOX container using

Cloud Manager. See the Cloud Manager help for the procedures.


37/42

Configuring the Centrify cloud service for MDM/MCM settings

Chapter 3 Configuring the Centrify cloud service and managing devices 37

Configuring the Centrify cloud service for MDM/MCM settingsIn the previous chapter you installed all of the components you need to use Centrify forSamsung KNOX to manage mobile devices and containers. The following table lists and

explains how to do the configuration tasks you would perform to complete the Centrifycloud service configuration.

To open Cloud Manager help, enter the URL https://cloud.centrify.com/manageinyour browser, log in, and click Help in the user account drop-down list (circled in thepicture)

Task How to perform the taskSelect Active Directory groups of

users who can enroll devices

1 In Active Directory, create the groups, add the users, and create theorganizational units for the devices.

2 Open the Cloud Proxy Server Configuration program.3 Click the Mobile Settingstab and click Add.4 Browse to and select the Active Directory group.5 Browse to and select the organizational unit to associate with the group.6 Repeat for each additional Active Directory group.

Prepare devices so users can create

their Samsung KNOX container

Prepare the devices in one of these ways:

Edit the group policy object for the mobile devices and enable the Create/

Dont create container at enrollment group policy. When you select this

option, users can create the KNOX container right af ter they enroll the

device.

On the Devices page in Cloud Manager, select the devices, click the

Container Management drop-down list, and select the Create Container

command. When you select this option, the device must be enrolled first.

Enable SAFE and KNOX group

policies in the group policy objects

for mobile devices

1 Open the Group Policy Management Editor and open an existing the grouppolicy object for editing or create a new one.

2 Expand the Computer Configuration and Policies to show the Centrify CloudManagement Settings.

3 Enable the SAFE and KNOX policies you need. The Centrify cloud serviceprovides a wide variety of mobile-device-specific policies and installs thepolicies when the user enrolls the device.

4 Save the group policy object.5 Assign the group policy object to the mobile device organizational unit.

Configure Cloud Manager settings,

such as

Cloud Manager and MyCentrify

banner colors and icons.

Multifactor authentication

Email quarantining for

unenrolled devices

See Managing Cloud Manager settings in Cloud Manager help for more

details.

Deploy and manage mobile and

web applications (optional)

SeeDeploying applications from Cloud Manager on page 34to deploy web

applications. See Managing applications in Cloud Manager help for more

details.


38/42


39/42


40/42

Managing mobile devices and Knox containers


6 Go to your device and touch the KNOX icon.You get the message KNOX has been locked. Contact your administrator to unlock.

7 Touch OK.8 In Cloud Manager, click the Container Managementdrop-down list.9 Click Unlock Container.

Now when you touch the KNOX icon on the device, you are prompted to enter yourpassword, and the container is opened.

Generating reportsOn the Reports page in Cloud Manager, you can generate reports of real-time Centrifycloud service data. Cloud Manager provides a set of SQL scripts you can use as is or modifyto expand your query. Alternatively, you can create your own SQL scripts or expand uponthe built-in scripts

Use the following procedure demonstrates to generate a report from one of the built-inscripts.

To generate a report from a built-in Cloud Manager script:

1 Open Cloud Manager and log in.2 Click Reports.3 Under Report Library, expand Builtin Reportsand click mobile.


41/42


42/42

Date post:	03-Jun-2018
Category:	Documents
Upload:	dani-danone
View:	225 times
Download:	1 times

Centri Fy for Samsung Knox 3

Documents