Introduction
Nokia
Intellisync Mobile Suite
is a portfolio of products that reside on a single server and can be
used alone
or together to create a comprehensive mobility solution. Te Nokia
Intellisync
Mobile Suite server provides large businesses with the flexibility,
manageability and extensibility to connect virtually any corporate data
to
virtually any device over almost any network to meet both current and
future
mobility needs.
Intellisync
is a modular
solution. There are 4 principal components, all of which can run
independently
of each other and can be enabled or disabled by the license key used to
install
the solution. The four components are:
·
Wireless Email
·
Device Management
·
File Sync
·
Application Sync
The
Wireless Email
component interfaces with Microsoft Exchange, Lotus
Domino or Novell Groupwise and enables full bi-directional
synchronisation of
all mailbox PIM data.
The
Device Management component allows the
administrator to enable or
disable hardware functionality on the client device, to remotely
‘kill’ the
device, gather inventory information about the device, back up the
device to
the server, copy, delete, rename or move files, add or remove registry
keys,
execute programs or scripts and much more.
The
File Sync
component allows the administrator to remotely
provision the client device with any manner of document, application,
patch
based on rules and conditions defined by the administrator.
The
Application Sync
component allows the client device to remotely
connect to and interrogate a back-end database such as Oracle or
Microsoft SQL
Server. This component is not discussed in this document.
Client
devices can be PCs
running Microsoft Windows, Windows Mobile-based PDAs, Symbian devices,
Palm
devices or J2ME-based mobile phones.
This
document is intended to
provide information for the administrator on the features available in
the
Device Management module only, and how they can be configured.
A
separate document detailing
the installation procedure for Nokia Intellisync Mobile Suite is also
available.
Separate
documents detailing
the operation of the Wireless Email and File Sync components are also
available.
Administration
All
administrative tasks are
performed via the web-based Admin Console, which is accessed by
browsing to
http(s)://<servername>/admin:
The
default administrative
password is defined during the installation process. Once logged in,
the admin
console appears as shown below:
There
are ten principal areas:
·
Users
·
Devices
·
Groups
·
Publications
·
Reports
·
Logs
·
User Settings
·
System Settings
·
Management
·
OMA DM Console
The
default view, the
Dashboard, displays version information on the server software and
client pack
installed.
Users
The
Users
view allows the administrator to:
·
Add new users
·
Send an SMS to a user’s device to
download and install software
·
Delete users
·
Export user information
·
Print user information
·
Modify a user’s account
·
View a user’s synchronisation
activity
·
Assign users to groups
Adding new users
There
are four ways in which
users can be added:
·
Manually
·
Imported from a text file
·
Imported from an Active Directory / LDAP
source
·
Automatically
User
accounts can be created
automatically using the ‘auto-discovery’ feature:
when authentic login
credentials are supplied from a client device, then user account is
created
automatically.
To
add a user manually, log
into the Admin Console and select Users.
Click on New, the following
window will be displayed:
Complete
the information as
required: a username and password must be supplied. By default, the
only Authentication
Type is Internal,
whereby
users are authenticated against the Intellisync server using the
password
supplied here. Additional authentication types for Active Directory or
Lotus
Domino are also possible and will be discussed later.
Once
the fields have been
completed, click Save. The user account
will now be listed.
To
import users from a text
file, the text file must be prepared with one UserID per line. If you
want to
import additional user information, you can use tokens separated by
tabs to
include various properties for each user, including:
$password=<>
$description=<>
$firstname=<>
$lastname=<>
$addtogroup=<>
$active=<1/0>
where
1 is active, 0 is inactive
$alertdevice=<>
followed
by phone, pager or email address
$alertphonenumber=<>
followed
by phone number
$alertemailaddr=<>
followed
by email address
$alertcarrier=<>
NOTE
– only intended for the US market
$emailAddress=<>
followed
by email address
$language=<>
followed
by two character country code (eg EN for English)
$timezone=<>
$authtype=<1/0>
where
1 is Active Directory, 0 is Internal
$sync=<1/0>
where
1 triggers a synchronisation session after configuration
A
full list of supported tokens
is available in the Nokia product documentation. Once the file has been
prepared,
select the option to Import and browse
to the location of the text file:
To
import users from an LDAP
source, such as Microsoft Active Directory, you must first create an
LDAP
source. This is done under System Settings and will be discussed later.
To
remove users from the
system, select their user account and click Delete.
Clicking
the Send Install
SMS link will
send an SMS message to the
user containing a hyperlink that the user selects to download and
install the
Intellisync client onto their device.
Clicking
the Export
link will export the selected user account
information to a Microsoft Excel file.
Clicking
the Print
link will print the selected user account
information.
To
view a user’s
synchronisation activity, click on the desired user account, then click
on the User
Activity link:
All
new users are automatically
added to the ‘All Users’ group. To add or modify a
user’s assigned groups,
click on the desired user account, then click on the Assigned
Groups link:
Devices
The
Devices
view displays information on the client devices
that have connected to the Intellisync server, including last
connection and
network push time as well as general device information.
From
this view, devices can be
removed from the system, information on specific devices can be
exported to a
Microsoft Excel file or can be sent to a printer.
Selecting
a specific device
entry will display a brief information summary of the device:
The
Push Log
displays information on the push attempts that have
been made to that device, and the success of those attempts. This log
can be
exported or printed.
The
Theft/Loss
link allows the administrator to set a device to
inactive should it be reported as having been lost or stolen by a user.
Once a
device is set to inactive then authentication will fail should a
synchronisation attempt be made from the device, regardless of what
credentials
are used. Depending on the type of device, in the event that a device
is
reported as lost or stolen, the administrator can also remove specific
files
from the device or simply hard reset the device completely, remotely
returning
the device to a factory default state and removing all private data.
The
Hardware
and Software links display detailed
information about the physical state of the
device:
NOTE
– for these screens
to be populated, it is necessary to create an Inventory
Collection
package and subscribe the user to that package.
Inventory Collections will be discussed later.
The
OMA DM component of the
solution will be examined later, however any devices added via this
component
will be displayed in the Intellisync DM admin view as OMA DM:
This
feature will be looked at
later.
Intellisync
has the ability to
‘remote control’ certain supported client devices.
If the client supports, it,
a Remote Control button will be listed
when clicking on that device’s entry within the web admin
console:
Clicking
on the Remote Control
button will trigger the system to send a connection request to the
mobile
device:
On
the Pocket PC device, a
message will be displayed prompting the user to accept the connection:
Once
connected, a message will
be displayed on the screen to indicate that the connection has been
established. Within the web admin console, a new browser window will be
opened
displaying the mobile device:
The
administrator can use this
interface to control the device, ‘tapping’ on the
screen with the mouse.
Additional
tools are available:
the Screen Capture button will save the
current screen to a PNG image in a new browser window. The Registry
Editor button
will open a Java applet
displaying the contents of the remote device’s registry:
The
File
menu allowing the administrator to create new keys,
edit or remove existing keys.
The
File Manager
button launches a Java applet displaying the
contents of the device’s file table:
The
File
menu allowing the administrator to copy, delete or
retrieve files:
Groups
The
Groups
view allows the administrator to create and edit
user groups for ease of management. Groups can be created within parent
groups.
Group information can be exported or printed. Groups can also be
imported from
an LDAP source.
To
create a group, click on New and enter a name and a
description (optional) for
the group. Click Save, the group
will now be listed.
Clicking
on the entry for the
group allows the administrator to subscribe publications to that group,
to make
the group a child of another group, or to make it the parent of other
groups.
Users can also be added or removed from the group.
Publications
The
Publications view
allows the administrator to create packages for
delivery to client devices. There are three types of publication:
·
Software Install
·
Asset Collection
·
Backup
Supported
client devices are:
·
Palm
·
PC
·
Microsoft Pocket PC (Windows CE)
·
Microsoft Smartphone
·
Symbian
To
create a new publication,
click on New:
Enter
a name for publication,
select the type of client device and the type of publication. Click Next:
A
number of tabs will now be
displayed across the top of the screen, which allow the administrator
to define
the operational parameters of the publication. In this example I have
created a
Software Install publication. The General
tab displays a brief summary of those parameters. Click on the Actions tab:
Click
on New
to add an action to the publication. Intellisync
has a number of pre-defined actions already defined that make it easy
for the
administrator to perform all manner of tasks on the client device, and
add
intelligence to the publication based on the specification of the
device being
used. For example, the device can be queried to obtain its operating
system,
processor type and free storage space, and different actions can be
taken
depending on the answers to those queries. Yet further intelligence can
be
added by the user of both client-side and server-side object-oriented
scripting.
In
this example the device will
have its clock updated to reflect the time on the server.
Available
actions are as
follows:
·
Directory – Create
·
Directory – Remove
·
Download File(s)
·
Download File (s) Determined by Script
·
Execute – Program
·
Execute – Script
·
Exit
·
File – Copy
·
File – Does Exist
·
File – Get Version
·
File – Move
·
File – Register as COM DLL
·
File – Remove
·
File – Rename
·
Get Client Operating System
·
Get Client Operating System Service Pack
·
Get Client Operating System Version
·
Get Free Storage Space
·
INI File – Read Value
·
INI File – Write Value
·
Reboot
·
Registry – Add Key
·
Registry – Add Value
·
Registry – Delete Value
·
Registry – Does Registry Key Exist
·
Registry – Does Registry Value Exist
·
Registry – Get Value
·
Registry – Merge File Into Registry
·
Set Client Time
·
Upload File(s)
·
Wait For File To Exist
Multiple
actions can be
assigned to the same publication.
The
Delivery Options
tab allows the administrator to define whether or
not the publication is compulsory, or whether users can choose the
accept the
publication. A schedule can also be defined for the publication:
The
Server Script
tab allows for the administrator to use a custom
JavaScript should the predefined actions not allow for what he or she
needs to
accomplish:
The
Client Script
tab allows for custom JavaScript or VBScript
(depending on the type of client device) to be run on the client device.
Detailed
information on the use
of scripting is available in the Nokia product documentation.
The
Attributes
tab allows the administrator to define further
parameters of the publication, such as whether or not any files that
are
downloaded to the client device by the publication are removed when the
operation is complete, a time limit which the publication operation
should not
exceed and limiting the publication’s availability to certain
times of the day.
The
Dynamic Subscription tab allows the administrator
to subscribe users to
the publication based on specific criteria, rather than just entire
groups
– such as ‘PCs with Windows XP Service Pack
2’, for example. How these
criteria are defined will be examined later.
Once
the publication has been
saved, its execution status can be viewed by selecting its entry and
then
clicking on Execution Status.
The
procedure for creating an Asset
Collection is
the same, however instead of
actions, a list of assets that are to be included in the inventory is
displayed:
When
creating a Backup publication is similar,
however here the
administrator has the choice of defining a ‘device’
or ‘file’ backup and, if
file backup is specified, defining which files are to be included in
the backup.
The
Execution Status
view allows the administrator to view the execution
status of all defined publications:
The
Staging
view allows the administrator to view the status of
all defined publications: the Intellisync server will periodically (the
schedule
of this activity can also be defined by the administrator) scan the
publications and verify that all linked files and any other resources
required
by the publication are available:
The
Content/Files
view allows the administrator to upload any files
that are required by the publications:
The
Subscription Criteria view allows the administrator
to define criteria
for the dynamic subscription of users to publications:
Criteria
can be defined by
‘asset’ – ie all Palm devices with an
operating system that is equal to
Palm OS 5.0, or all PCs that have Microsoft Office XP installed, for
example.
Or by ‘file’ – ie all devices that have a
copy of the Intellisync User
Guide version 2.0 in the My Documents folder.
Criteria
can also be defined
based on Registry keys.
Reports
This
view allows the
administrator to easily access information about the system. All
reports can be
exported or printed.
The
Device Last Connection report provides a list of the
latest connection
times for devices:
There
are three types of Device
Management
reports: Memory Usage, Carriers and Applications,
detailing the software installed on client devices, the disk space and
memory
available on the devices and the mobile networks used:
There
are two types of Performance
Report
available: System Sync
Times Report
and Syncs Per Hour
Report:
The
License Report
displays information on the licenses in use and
those remaining:
Logs
This
view allows the
administrator to view historical information about the system. There
are three
types of log available: Audit Trail log, User Activity log and Server
Activity
log. All logs can be exported or printed.
User Settings
This
view allows the
administrator to define client-server security settings as well as the
settings
that users are to be allowed to configure themselves.
General Settings
There
are four principal
settings groups within General Settings:
·
Client Install/Deployment
·
Push/Interval Sync
·
Security/Encryption
·
Web/WAP Security
Client/Install
Deployment
This
view allows the
administrator to define which client packages are available for users
to
download from the Intellisync web interface:
Selecting
the option to Generate
Standalone Install
allows the
administrator to download packages that enable users to install the
Intellisync
client without the need to use the web interface:
Push/Interval
Sync
This
view allows the
administrator to define the default settings controlling Push and
scheduled
synchronisation. Different settings can be defined for the different
client
types. Different profiles can also be defined for individual users or
groups.
The administrator can also specify whether users have the ability to
edit these
settings themselves on the client device:
Security/Encryption
This
view allows the
administrator to define the encryption method used to transmit data
between the
client and the server and store client authentication details.
Available
options are Triple
DES, AES, SSL or No Encryption. The option to not use encryption would
be selected
if the client device was already using some form of secured, encryption
connection to the server, such as a VPN connection.
Different
settings can be
defined for each supported client type as well as for individuals or
groups.
Power-on
passwords can also be
enforced on client devices that support it. The administrator can also
define
what phone numbers can be dialled from the client device while it is
locked
from this view.
Web/WAP
Security
This
view allows the
administrator to define whether or not authentication credentials can
be stored
on client devices for web or WAP access to the server.
Device Management
Connection
Policy
This
view allows the
administrator to specify whether a user account can be disabled
automatically
if there is no activity for a certain amount of time. The administrator
can
also define how many attempts users have to enter their authentication
details
correctly, and what happens if that limit is exceeded. Available
options are to
deactivate the device (meaning that authentication will fail regardless
of what
authentication credentials are entered), delete PIM and email data from
the
device, delete specific files from the device, or hard reset the device
completely.
Hardware
Control
This
view allows the
administrator to remotely disable certain elements of hardware on the
client
device (Windows Mobile 5 devices only):
Following
a change made via the
Admin Console, the hardware element is disabled on the client device
during the
next synchronisation. The hardware elements that can be disabled are:
·
Camera
·
Bluetooth
·
Infrared
·
Wireless Fidelity (WiFi)
·
Secure Digital Card (flash memory card)
·
Short Message Service (SMS Text Messages)
System Settings
General Settings
This
view allows the administrator
to configure proxy and SMTP server details as well as maintenance and
client
software language settings.
Server Names
This
view allows the
administrator to define the internal and external name / IP address of
the
server when accessed locally via the LAN and externally via the
Internet. The
values entered here are used to pre-populate the server connection
settings
when creating a standalone client installation package. Ideally the
server name
will remain the same, and internal and external DNS servers will be
configured
accordingly. That way the client will not need to have any settings
changed
depending on the user’s location.
Server Key
This
view allows the
administrator to enable or disable Server Key Exchange, a security
feature that
exchanges a unique key between the server ad the client.
Authentication
This
view allows the
administrator to define authentication settings. This is where the
auto-discovery feature can be enabled or disabled. Enabling this
feature means
that user accounts do not need to be created or imported: the user
account will
be created automatically when a client provides valid authentication
credentials. The administrator can also limit the number of devices
each user
can have from this view. When a user account is created manually, the
default
authentication type is in the internal
authentication mechanism, whereby users are authenticated against the
Intellisync user database. This is the simplest of options and would be
employed if users have authenticated prior to the Intellisync
connection, such
as with a VPN server. You can specify a default Intellisync password
from here.
Additional authentication sources can also be defined from this view.
Authentication
Sources
This
view allows the
administrator to define additional authentication sources other than
the
built-in internal authentication mechanism. Available options are:
·
Active Directory / LDAP
·
Domino
·
Groupwise
·
RADIUS
All
authentication sources can
be exported or printed. Authentication sources can be assigned on a
per-user or
per-group basis.
To
add an Active Directory /
LDAP authentication source, select New AD/LDAP:
To
add a Domino authentication
source, select New Domino:
To
add a new Groupwise
authentication source, select New Groupwise:
To
add a new RADIUS
authentication source, select New RADIUS:
Directories
This
view allows the
administrator to specify the default location for the content used by
publications and client installation packages:
Secure Gateways
This
view allows the
administrator to add or remove details of Intellisync Secure Gateways.
A Secure
Gateway is a machine that would typically sit in a DMZ environment and
proxy
synchronisation requests from the Internet to the back-end Intellisync
server
on the LAN. This has the advantage of not requiring ports 80 or 443 to
be
allowed through the firewall to a host on the internal network. To add
a Secure
Gateway, simply select New and enter
the IP address of the host on which the Secure Gateway service has been
installed:
NOTE
– by default the
secure gateway service runs on the Intellisync server itself and a
secure
gateway will already be listed with a name of localhost. When adding a new secure
gateway, the localhost
entry will need to be removed.
NOTE
– Using a secure
gateway renders the web PIM and the web Admin Console unavailable
externally on
the default ports.
Information
on how to set up a
Secure Gateway is available in the Nokia product documentation.
License
This
view displays information
on the license key that was used to install the solution, the number of
users
in use and those available as well as the modules of the Mobile Suite
that are
enabled. The license key can also be edited from this view.
Advanced
This
view allows the administrator
to enable or disable multiple tenants. This would be done if the server
were
being used in a hosted environment.
Management
This
view allows the
administrator to remove or activate and deactivate Intellisync servers
as well
as add and remove administrator accounts.
Servers
This
view displays a list of
Intellisync servers in the cluster and allows the administrator to
export or
print server information. Servers can also be removed from this view.
To
activate or deactivate a
server, simply select its entry and tick or untick the Active check box.
To
start or stop Intellisync
servers, it is necessary to establish an SSH connection to the server
and
initiate the appropriate script.
To start Nokia Intellisync Mobile
Suite services, run the
following commands as root:
/etc/init.d/asadb start
/etc/init.d/securegateway start
/etc/init.d/mobilesuite start
To stop Nokia Intellisync Mobile
Suite services, run the
following commands as root:
/etc/init.d/asadb stop
/etc/init.d/securegateway stop
/etc/init.d/mobilesuite stop
Administrators
This
view displays a list of
administrative accounts that have been configured. By default only one
administrator is defined, using the credentials defined during the
installation
process. This account can be edited or additional accounts can be added
or
removed. All accounts can be exported or printed.
To
add a new administrative
login, select New:
Complete
the require fields and
click Save
when finished.
Administrator
accounts can be
activated or deactivated by selecting their entry and changing the Status field accordingly.
OMA DM Console
OMA
DM is the Open Mobile
Alliance Device Management server, based on the SyncML protocol, using
XML
schema to remotely provision supported devices with service settings,
applications, patches, etc.
Using
OMA DM, device management
profiles are sent to the remote device via PIN-protected SMS message to
establish a connection between the Intellisync server and the mobile
device.
This profile will contain information on the Internet Access Point to
use as
well as details of the Intellisync server to connect to (IP address,
port,
username and password). When the message is received on the device, the
user
enters the correct PIN code and accepts the connection.
Once
the connection is
established, the connection can be used to download and install
applications
remotely to the device and to deliver the following additional settings
to the
device:
·
Email settings
·
Data synchronisation settings
·
SIP (Session Initiation Protocol) settings
·
SCCP (Skinny Client Control Protocol)
settings (used to connect
to Cisco Call Manager)
·
VoIP (Voice over Internet Protocol) settings
(Internet Telephony)
·
Advanced device management settings
·
Device control settings
Settings
can be tailored on a
per-user or per-group basis, or alternatively on a per-device basis.
The
solution also allows the
administrator to remotely install and configure applications on the
mobile
device. Packages are included by default for the following applications:
·
Nokia Business Center
·
Nokia Device Management Enhancements
·
Nokia Mail for Exchange
·
Symantec Mobile Security
It
is possible to add new
installation packages and configuration files for new versions of
existing
applications, or new software (Symbian-native or Java-based, ie a SIS
file).
Any application can be delivered provided that the administrator has
access to
the Device Description Framework (DDF) document for the application,
which
defines the settings that need to be defined for that application on
the OMA DM
server.
More
information can be found
here:
http://en.wikipedia.org/wiki/OMA_Device_Management
http://www.openmobilealliance.org/tech/wg_committees/dm.html
The
OMA DM web admin console is
distinct from the main Intellisync web admin console, although certain
features
are interlinked, such as the list of Users, Groups and Devices.
There
are six principal
sections within the OMA DM admin console:
·
Users
·
Devices
·
Groups
·
Publications
·
Server Monitoring
·
Configuration
Users
Unlike
Intellisync DM, within
OMA DM users cannot be created automatically. They can be imported or
created
manually, but a user account must be created and a device associated
with it
before that remote device can be controlled.
Users
created within
Intellisync DM will be listed in the OMA DM admin view automatically.
However
editing the user account will display additional fields: Default
Mobile Number
and Employee ID:
The
Employee ID field is a free
text field which can be used to enter a numerical value which can
automatically
be used as the PIN code users need to enter when accepting DM profiles
from the
server.
User
enabled and disabled within
the OMA DM console will also be enabled and disabled in the Intellisync
DM
console.
Selecting
a user’s subscribed
publications within the OMA DM console will display only those
publications
that are available within the OMA DM console, not those created within
the
Intellisync DM console.
Devices
Again,
unlike Intellisync DM,
devices cannot be discovered automatically the first time they
synchronise.
Within the OMA DM admin console devices must be created manually:
To
add a new device, click New:
Enter
the mobile phone number
and IMEI number of the device, the carrier to be used to communicate
with the
device as well as the user to be associated with the device. Once all
of the
fields have been completed click Save,
the device will now be listed.
From
this view devices can be
sent DM profiles, Connection Requests, Short Messages, or can be
deleted
altogether.
It
is not possible to send a
Connection Request to a device until a DM Profile has been sent to it
first.
How DM Profiles are defined will be looked at later. Once a DM profile
has been
created, to send it to a device, select the option to Send DM
Profile:
Specify
a PIN code for the
message, or specify that the employee ID should be used as the PIN
code. Click Confirm, the message will be sent to
the target device.
The
user will be displayed a
message on the device that new service settings have been received and
will be
prompted to accept them. Should the user accept them, they will then be
prompted to enter a PIN code. Upon entry of the correct PIN, the
settings will
then be installed.
Once
the profile has been
installed, a connection request can be issued from the server:
At
any point, regardless of
whether a DM Profile has been installed or not, SMS messages can be
sent to the
device. The message can be either a:
·
Short text message
·
User-defined bookmark
·
Web server certificate installation
Selecting
a device entry
displays further information about that device, including firmware
version,
language, etc:
Advanced
Actions are
also available, including the ability to:<