TMMS-8.0 Ag
TMMS-8.0 Ag
TMMS-8.0 Ag
without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: http://www.trendmicro.com/download Trend Micro, the Trend Micro logo, OfficeScan, and TrendLabs are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2004-2012 Trend Micro Incorporated. All rights reserved. Release Date: July 2012 Document Part No.: TSEM85322_01302012
The user documentation for Trend Micro Mobile Security is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micros Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp
Contents
Contents
Preface
Audience ............................................................................................................viii Mobile Security Documentation ..................................................................viii Document Conventions ................................................................................... ix
Chapter 1: Introduction
Understanding Mobile Threats ..................................................................... 1-2 About Trend Micro Mobile Security v8.0 ................................................... 1-2 Mobile Security Components ........................................................................ 1-3 Basic Security Model (Single Server Installation) ............................. 1-4 Enhanced Security Model (Dual Server Installation) ...................... 1-5 Management Server .............................................................................. 1-5 Communication Server ........................................................................ 1-6 SMS Sender ............................................................................................ 1-6 Mobile Device Agent ............................................................................ 1-6 What's New in This Release (v8.0) ............................................................... 1-7 Agent Customization ............................................................................ 1-7 Web Proxy Support for Android ........................................................ 1-7 HTTP(S) Push Notification Setting for Android ............................. 1-7 Simpler Provisioning ............................................................................ 1-7 Scan After Pattern Update ................................................................... 1-7 Web Threat Protection Policy ............................................................. 1-7 Adds SD Card Restriction for Android ............................................. 1-7 Application Inventory .......................................................................... 1-8 Application Control .............................................................................. 1-8 Application Push ................................................................................... 1-8 Selective Wipe ........................................................................................ 1-8 Compliance Check ................................................................................ 1-8 Optional Authentication using Active Directory ............................. 1-8 Dashboard Screen ................................................................................. 1-8
1-1
Scheduled Reports ................................................................................. 1-8 Quick Configuration Verification Screen .......................................... 1-9 On-Demand Remote Password Reset for iOS and Android ......... 1-9 Enterprise Applications ........................................................................ 1-9 What's New in This Release (v7.1) ............................................................... 1-9 Support for iOS and Blackberry Mobile Devices ............................. 1-9 Integrated with Active Directory ........................................................ 1-9 Updated Architecture ............................................................................ 1-9 Provisioning Policy ................................................................................ 1-9 What's New in This Release (v7.0) .............................................................1-10 Support for Android Mobile Devices ..............................................1-10 Call Filtering Policies ..........................................................................1-10 Updated Feature Locking ...................................................................1-10 Locate Remote Device .......................................................................1-10 Updated Architecture ..........................................................................1-10 Main Mobile Device Agent Features ..........................................................1-11 Anti-Malware Scanning .......................................................................1-11 Firewall ..................................................................................................1-11 Web Security ........................................................................................1-11 SMS Anti-Spam ...................................................................................1-11 Call Filtering .........................................................................................1-12 WAP-Push Protection ........................................................................1-12 Authentication ......................................................................................1-12 Data Encryption ..................................................................................1-13 Regular Updates ...................................................................................1-13 Logs .......................................................................................................1-13 Supported Features .......................................................................................1-14
1-2
Contents
Configuring Device Authentication ........................................................ 2-5 Configuring Database Settings ................................................................. 2-6 Configuring Communication Server Settings ........................................ 2-6
1-3
Firewall Policies ............................................................................................... 4-9 Application Monitor and Control Policies ................................................4-11 Enterprise App Store ...............................................................................4-11 Encryption and Password Policies .............................................................4-12 Password Settings and Password Security ............................................4-12 Encryption Settings ..................................................................................4-14 Feature Lock Policy ......................................................................................4-16 Supported Features/Components .........................................................4-16 Configuring Components Availability ..............................................4-18 Web Threat Protection Policy .....................................................................4-18 Compliance Policy .........................................................................................4-19
1-4
Contents
Configuring Notification Settings ................................................................ 7-2 Configuring Email Notifications ............................................................. 7-2 Configuring SMS Sender ........................................................................... 7-2 SMS Sender List .................................................................................... 7-3 Configuring SMS Sender List .............................................................. 7-3 SMS Sender Status ................................................................................ 7-4 Administrator Notifications and Scheduled Reports ........................... 7-5 User Notification .................................................................................. 7-6
1-5
1-6
Preface
Preface
Welcome to the Trend Micro Mobile Security for Enterprise version 8.0 Administrators Guide. This guide provides detailed information about all Mobile Security configuration options. Topics include how to update your software to keep protection current against the latest security risks, how to configure and use policies to support your security objectives, configuring scanning, synchronizing policies on mobile devices, and using logs and reports. This preface discusses the following topics: Audience on page viii Mobile Security Documentation on page viii Document Conventions on page ix
vii
Audience
The Mobile Security documentation is intended for both administratorswho are responsible for administering and managing Mobile Device Agents in enterprise environmentsand mobile device users. Administrators should have an intermediate to advanced knowledge of Windows system administration and mobile device policies, including: Installing and configuring Windows servers Installing software on Windows servers Configuring and managing mobile devices (such as smartphones and Pocket PC/Pocket PC Phone) Network concepts (such as IP address, netmask, topology, and LAN settings) Various network topologies Network devices and their administration Network configurations (such as the use of VLAN, HTTP, and HTTPS)
viii
Preface
Knowledge Base the Knowledge Base is an online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, open:
http://esupport.trendmicro.com/
Tip: Trend Micro recommends checking the corresponding link from the Download Center (http://www.trendmicro.com/download) for updates to the product documentation.
Document Conventions
To help you locate and interpret information easily, the documentation uses the following conventions.
Convention Description
ALL CAPITALS
Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and tasks References to other documentation Example, sample command line, program code, Web URL, file name, and program output Cross-references or hyperlinks.
Bold
Italics
Monospace
Link
ix
Convention
Description
Recommendations Tip:
WARNING!
Chapter 1
Introduction
Trend Micro Mobile Security for Enterprise v8.0 is an integrated security solution for your mobile devices. Read this chapter to understand Mobile Security features and how they protect your mobile devices. This chapter includes the following sections: Understanding Mobile Threats on page 1-2 About Trend Micro Mobile Security v8.0 on page 1-2 Mobile Security Components on page 1-3 What's New in This Release (v8.0) on page 1-7 Main Mobile Device Agent Features on page 1-11 Supported Features on page 1-14
1-1
1-2
Introduction
WARNING! Trend Micro cannot guarantee compatibility between Mobile Security and file system encryption software. Software products that offer similar features, like anti-malware scanning, SMS management and firewall protection may be incompatible with Mobile Security.
Depending on your company needs, you can implement Mobile Security with different client-server communication methods. You can also choose to set up one or any combination of client-server communication methods in your network. Trend Micro Mobile Security supports two different models of deployment: Basic Security Model (Single Server Installation) Enhanced Security Model (Dual Server Installation)
1-3
FIGURE 1-1.
1-4
Introduction
FIGURE 1-2.
Management Server
The Management Server is a plug-in program that enables you to control Mobile Device Agents from the OfficeScan Web console. Once mobile devices are registered, you can configure Mobile Device Agent policies and perform updates.
1-5
Communication Server
The Communication Server handles communications between the Management Server and Mobile Device Agents. The Communication Server allows the Management Server to manage Mobile Device Agents outside the corporate intranet. Mobile Device Agents can connect to the public IP address of the Communication Server. You can use the OfficeScan Web console to configure policies for the Communication Server.
SMS Sender
SMS senders are designated mobile devices connected to the Communication Server over WLAN connections or ActiveSync (version 4.0 or above). An SMS sender receives commands from server and relays them to mobile devices via SMS text messages. SMS text messages may be used to notify mobile devices to: download and install Mobile Device Agent register Mobile Device Agent to the Mobile Security server update the Mobile Device Agent components from the Mobile Security server wipe, lock or locate the remote mobile device synchronize policies with the Mobile Security server
1-6
Introduction
Agent Customization
Enables you to preset the server IP address and port number into the Android installation package.
Simpler Provisioning
Enables you to configure server IP address, domain name and server port number in Android mobile devices in advance, to reduce the effort of deployment and enrollment of mobile devices.
1-7
Application Inventory
Maintains the list of installed applications on mobile devices and displays it on the device status screen.
Application Control
Enables you to allow or block the installation of certain applications on mobile devices using approved and blocked lists.
Application Push
Enables you to push the application installation package or Web link of the application to mobile devices for installation.
Selective Wipe
Enables you to delete all the corporate data from the server, without deleting the users personal data.
Compliance Check
Enables you to set the compliance criteria on the server, and checks the mobile devices for compliance.
Dashboard Screen
Introduces the Dashboard screen to replace the old Summary screen on the Web console to provide the status summary of server components and mobile devices.
Scheduled Reports
Enables you to configure Mobile Security to send scheduled reports at the pre-defined intervals.
1-8
Introduction
Enterprise Applications
Enables you to create a list of webclips and apps for the users to download and install on their mobile devices.
Updated Architecture
In Mobile Security for Enterprise v7.1, single and dual server deployment models are introduced. SMS Gateway is also removed in v7.1.
Provisioning Policy
This version introduces the provisioning policy for mobile devices.
1-9
Updated Architecture
In Mobile Security for Enterprise v7.0, SMS Gateway is added as an alternate to SMS Sender to send SMS messages to mobile devices.
1-10
Introduction
Firewall
Mobile Security includes the Trend Micro firewall module, which comes with predefined security levels to filter network traffic. You can also define your own filtering rules and filter network traffic from specific IP addresses and on specific ports. The Intrusion Detection System (IDS) enables you to prevent attempts to continually send multiple packets to mobile devices. Such attempts typically constitute a Denial of Service (DoS) attack and can render your mobile device too busy to accept other connections.
Web Security
As technology increases for mobile devices, the sophistication of mobile threats is also increasing. Trend Micro Mobile Security provides Web Reputation and Parental Controls to protect your mobile device from unsafe Web sites and the Web sites that may contain objectionable material for children, teenagers and other family members. You can modify your Web Reputation and Parental Controls setting levels as per your desired settings. Mobile Security also maintains the log of the Web sites that were blocked by Web Reputation or Parental Controls in their specific logs.
SMS Anti-Spam
Mobile devices often receive unwanted messages or spam through SMS messaging. To filter unwanted SMS messages into a spam folder, you can specify the phone numbers from which all SMS messages will be considered spam or you can specify a list of approved phone numbers and configure Mobile Security to filter all messages from senders that are not in the approved list. You can also filter unidentified SMS messages or messages without sender numbers. Your mobile device will automatically store these messages to the spam folder in your inbox.
1-11
Note:
The SMS Anti-Spam feature is not available on mobile devices without phone capabilities.
Call Filtering
Mobile Security enables you to filter incoming or outgoing calls from the server. You can configure Mobile Security to block incoming calls from certain phone numbers or you can specify a list of approved phone numbers to which the calls may be made from the mobile device. Mobile Security also enables mobile device users to specify their own Blocked or Approved list to filter unwanted incoming calls.
Note: The Call Filtering feature is not available on mobile devices without phone capabilities.
WAP-Push Protection
WAP-Push is a powerful method of delivering content to mobile devices automatically. To initiate the delivery of content, special messages called WAP-Push messages are sent to users. These messages typically contain information about the content and serve as a method by which users can accept or refuse the content. Malicious users have been known to send out inaccurate or uninformative WAP-Push messages to trick users into accepting content that can include unwanted applications, system settings, and even malware. Mobile Security lets you use a list of trusted senders to filter WAP-Push messages and prevent unwanted content from reaching mobile devices.
Note: The WAP-Push protection feature is not available on mobile devices without phone capabilities.
Authentication
After installing the Mobile Device Agent a mobile device is associated with a user. The user must type a password (also known as the power-on password) to log on to the mobile device.
1-12
Introduction
Data Encryption
Mobile Security provides dynamic data encryption for data stored on mobile devices and memory cards. You can specify the type of data to be encrypted and the encryption algorithm to use.
Regular Updates
To protect against the most current threats, you can either update Mobile Security manually or configure it to update automatically. Updates include component updates and Mobile Security program patch updates.
Logs
The following Mobile Device Agent logs are available on the Management Server: malware protection log Web threat protection log encryption log firewall log event log Windows Mobile and Symbian: virus/malware logs firewall logs SMS anti-spam logs WAP Push protection logs Task logs malware logs Web security logs Blocked Message logs Call filtering logs System logs
Android:
1-13
Supported Features
The following table shows the list of features that Trend Micro Mobile Security supports per platform:
W INDOWS M OBILE
B LACK B ERRY
F EATURES
S ETTINGS
A NDROID
Provisioning
Wi-Fi configuration Exchange ActiveSync configuration VPN configuration Real-time scan Card scan
Device Security
Scan after pattern update Spam SMS Prevention Server-side control Use blocked list Use approved list Spam WAP Push Prevention Server-side control Use approved list
TABLE 1-1.
1-14
S YMBIAN
P OLICY
I OS
Introduction
W INDOWS M OBILE
B LACK B ERRY
F EATURES
S ETTINGS
A NDROID
Call Filtering
Device Security
Firewall
Password Settings
Data Protection
Allow simple password Require alphanumeric password Minimum password length Password expiration Password history
TABLE 1-1.
S YMBIAN
1-15
P OLICY
I OS
W INDOWS M OBILE
B LACK B ERRY
F EATURES
S ETTINGS
A NDROID
Password Settings
Encryption
Restrict Camera Restrict screen capture Restrict apps installation Restrict sync while roaming Restrict voice dialing Restrict in-app purchase Restrict multiplayer gaming Restrict adding game center friends Force encrypted backups Restrict explicit music & podcast
TABLE 1-1.
1-16
S YMBIAN
P OLICY
I OS
Introduction
W INDOWS M OBILE
B LACK B ERRY
F EATURES
S ETTINGS
A NDROID
Feature Lock
Restrict bluetooth Restrict infrared Restrict USB storage Restrict WLAN/Wi-Fi Restrict serial Restrict speaker/speakerphone/microphone
Data Protection
Restrict Microsoft ActiveSync Restrict MMS/SMS Restrict memory cards Restrict GPS Siri Cloud backup Cloud document sync Photo Stream Diagnostic data
TABLE 1-1.
S YMBIAN
1-17
P OLICY
I OS
W INDOWS M OBILE
B LACK B ERRY
F EATURES
S ETTINGS
A NDROID
Feature Lock
Accept untrusted Transport Layer Security (TLS) Force to store iTunes password YouTube
Data Protection
iTunes Safari Web browser AutoFill JavaScript Popups Force fraud warning Accept cookies
TABLE 1-1.
1-18
S YMBIAN
P OLICY
I OS
Introduction
W INDOWS M OBILE
B LACK B ERRY
F EATURES
S ETTINGS
A NDROID
Register Remote control Update Anti-theft Remote locate Remote lock Remote wipe Reset password
TABLE 1-1.
S YMBIAN
1-19
P OLICY
I OS
1-20
Chapter 2
2-1
Note:
1. 2. 3.
On Internet Explorer, access the OfficeScan Web console URL. On the Tools menu, click Compatibility View settings. The Compatibility View Settings window displays. Click Add to add the Web site address to the compatibility list, and then click Close.
2-2
Dashboard Information
The Dashboard screen displays first when you access the Management Server. This screen provides an overview of the mobile device registration status and component details. The dashboard screen is divided into four categories: Healthshows the components and policy update and mobile device health status. In this category, you can: View mobile devices status: Healthyshows that the device is registered with the Mobile Security server and the components and policies on the mobile device are up-to-date. Unhealthyshows that the device is registered with the Mobile Security server, but either the components or the polices are out-of-date. Unregisteredshows that the device is not yet registered with the Mobile Security server.
View the total number of registered and unregistered mobile devices managed by Mobile Security. A mobile device may remain unregistered if one of the following happens: a connection to the Communication Server is unsuccessful the mobile device user has deleted the registration SMS message the SMS message containing the registration information is lost on transit Current Versionthe current version number of the Mobile Device Agent or components on the Mobile Security server Up-to-datethe number of mobile device with updated Mobile Device Agent version or component Out-of-datethe number of mobile devices that are using an out-of-date component Update Ratethe percentage of mobile devices using the latest component version Upgradedthe number of mobile devices using the latest Mobile Device Agent version
2-3
Not Upgraded the number of mobile devices that have not upgraded to use the latest Mobile Device Agent version Upgrade Ratethe percentage of mobile devices using the latest Mobile Device Agent Serverthe name of the module Addressthe domain name or IP address of the machine hosting the module Current Versionthe current version number of the Mobile Security server modules Last Updatedthe time and date of the last update
Inventoryshows mobile device operating system version summary, telephone carriers summary, mobile device vendors summary and top 10 applications installed on mobile devices. Complianceshows the app control, encryption and jailbreak/root status of mobile devices. In this category, you can: View the mobile device jailbreak/root status: Jailbroken/Rootedthe number of mobile devices that are jailbroken/rooted Not Jailbroken/Rootedthe number of mobile devices that are not jailbroken/rooted Encryptedthe number of mobile devices that are encrypted Not Encryptedthe number of mobile devices that are not encrypted Compliantthe number of mobile devices that comply with the Mobile Securitys application control policy Not Compliantthe number of mobile devices that do not comply with the Mobile Securitys application control policy
Protectionshows the lists of top five (5) security threats and top five (5) blocked Web sites.
2-4
Product License
After the Evaluation version license expires, all program features will be disabled. A Full license version enables you to continue using all features, even after the license expires. Its important to note however, that the Mobile Device Agent will be unable to obtain updates from the server, making anti-malware components susceptible to the latest security risks. If your license expires, you will need to register the Mobile Security server with a new Activation Code. Consult your local Trend Micro sales representative for more information. To download updates and allow remote management, Mobile Device Agents must register to the Mobile Security server. For instructions to manually register Mobile Device Agents on mobile devices, refer to the Installation and Deployment Guide or the Users Guide for the mobile device platform. To view license upgrade instructions for Mobile Security Management Module on the Management Server, click the View license upgrade instructions link in Mobile Security Product License screen.
Administration Settings
Configuring Active Directory (AD) Settings
Trend Micro Mobile Security 8.0 enables you to configure user authorization based on the Active Directory (AD). You can also add mobile devices to the device list using your AD. Refer to the Initial Server Setup section in the Installation and Deployment Guide for the detailed configuration steps.
2-5
2-6
Chapter 3
3-1
The following table describes the icons in the device tree to indicate the update status for mobile devices:
TABLE 3-1. I CON
Security server. Mobile Device Icons
D ESCRIPTION
The Mobile Device Agent successfully registered to the Mobile All Mobile Device Agent components are updated. All security policies are synchronized with the Mobile Security
server.
3-2
D ESCRIPTION
One or more Mobile Device Agent components are not updated. One or more security policies are not synchronized with the Mobile
Security server.
1. 2.
In the Device Management screen, click the Advanced search link. A pop-up window displays. Select the search criteria and type the values in the fields provided (if applicable): Device Namedescriptive name that identifies a mobile device Phone Numberphone number of a mobile device Platformoperating system the mobile device is running Groupgroup to which the mobile device belongs Program versionMobile Device Agents version number on the mobile device Malware Pattern versionMalware Pattern file version number on the mobile device Malware Scan Engine versionMalware Scan Engine version number of the mobile device
3-3
3.
Infected clientconfine the search to mobile devices with the specified number of detected malware Unregistered deviceconfine the search to unregistered mobile devices Outdated configuration fileconfine the search to mobile devices with an out-of-date configuration file Outdated componentconfine the search to mobile devices with an out-of-date component
3-4
Policyshows the times the configuration and the security policy were last updated. Installed Applicationsdisplays the list of all the application that are installed on the mobile device, and the compliance check result. This tab is available only for Android and iOS mobile devices.
Note:
On Windows Mobile or Symbian mobile devices, if you have not enabled the SMS messaging feature for Mobile Security, you need to configure update schedule in the General Policies screen (see General Policies on page 4-3) to periodically update
3-5
components. However, on Android mobile devices, if you have not enabled the SMS messaging feature for Mobile Security, you can also update components and sync policies through push instructions.
On-demand Remote Device Wipeby sending remote wipe instruction to the mobile device, administrator can remotely reset the mobile device to factory settings and format the SD card, if present. Alternatively, administrator can only clear the corporate data on the mobile device.
1.
Obtain the mobile device name and the challenge code the user generated on the mobile device. Refer users to the Users Guide for instructions on challenge code generation. Log on to the OfficeScan Web console and click Plug-in Manager.
2.
3-6
3. 4. 5. 6. 7. 8.
Click Manage Program for Mobile Security, and then click Device. Select the mobile device from the tree, and then click Password Reset. In the Remote Unlock screen, click Select a device. The device tree displays. Select the mobile device you want to unlock remotely, and click Select. Type the challenge code in the field and click Generate. The Management Server generates the response code and displays the code on a pop-up screen. Instruct the user to click Next in the Password screen on the mobile Device and type the response code to unlock the mobile device. Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security, and then click Device. Select the mobile device from the tree, and then click Password Reset. Type and confirm the new six-digit password on the pop-up dialog box that appears. Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security, and then click Device. Select the mobile device from the tree, and then click Password Reset. Click OK on the confirmation dialog box that appears. The power on password for the selected iOS mobile device will be removed.
1. 2. 3. 4.
1. 2. 3. 4.
Security Policies
You can configure security policies for a Mobile Security group on the Management Server. These policies apply to all mobile devices in the group. Refer to chapter Protecting Devices with Policies starting on page 4-1 for more information about these policies and the detailed steps for their configuration.
3-7
Logs
Mobile Security maintains malware protection log, firewall log, encryption log, Web threat protection log on the Management Server. Refer to chapter Viewing and Maintaining Logs starting on page 6-1 for more information about these policies and the detailed steps for their configuration.
For instructions, refer to the Online Help for Mobile Security server.
3-8
Chapter 4
4-1
Device Security
Devices
Application Management
Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Device, select one or more groups in the device tree and click Policy. The Policy window pops up.
4-2
4.
On the left-menu, click the policy you want to configure. The respective policy configuration displays in the right-pane.
Trend Micro recommends synchronizing settings on Mobile Device Agents immediately after you have changed the security policy settings in the Group Policies screens. Refer to Mobile Device Agent Provisioning on page 3-5 for more information.
Note:
General Policies
To configure general security policy settings, select a group from the device tree; click Policy, and then click General Policy.
User Privileges
You can enable or disable the feature that allows users to uninstall the Mobile Device Agent. Additionally, you can select whether to allow users to configure Mobile Security device agent settings. The following is a list of features associated with uninstall protection: turn On/Off uninstall protection from the management console password length must have a minimum of six (6) and a maximum of twelve (12) characters; password may contain numbers, characters or symbols.
4-3
password can be set for each group from the management console.
FIGURE 4-1.
If you do not select the Allow users to configure Mobile Security client settings check box, users cannot change Mobile Device Agent settings. However, Spam Prevention Policy and Call Filtering Policy are not affected when this option is selected. For more information, see Spam SMS Prevention Policies on page 4-7 and Spam WAP-Push Prevention Policies on page 4-8.
Update Settings
You can select to have the Mobile Security server notify Mobile Device Agents when a new component is available for update. Or you can select the auto-check option to have Mobile Device Agents periodically check for any component or configuration updates on the Mobile Security server.
4-4
When you enable the wireless connection notification option, a prompt screen displays on mobile devices before Mobile Device Agents connect to the Communication Server through a wireless connection (such as 3G or GPRS). Users can choose to accept or decline the connection request.
FIGURE 4-2.
Log Settings
When Mobile Device Agents detect a security risk, such as an infected file or firewall violation, a log is generated on mobile devices. If the Encryption Module is activated, the encryption logs are also generated. You can set the mobile devices to send these logs to the Mobile Security server. Do this if you want to analyze the number of infections or pinpoint possible network attacks and take appropriate actions to prevent threats from spreading.
Notification Settings
Select whether to display a prompt screen on mobile devices when a mobile device agent tries to establish a connection to the Communication Server.
Scan Types
Mobile Security provides several types of scans to protect mobile devices from malware.
4-5
Real-time Scan Mobile Device Agent scans files on mobile devices in real time. If Mobile Device Agent detects no security risk, users can proceed to open or save the file. If Mobile Device Agent detects a security risk, it displays the scan result, showing the name of the file and the specific security risk. Mobile Security will generate a log with the scan result on the mobile device. The scan log is sent and stored on the Mobile Security database. Card Scan If you select the Card Scan option in the Malware Protection Policies screen, Mobile Security scans data on a memory card when the memory card is inserted to a mobile device. This prevents infected files from spreading through memory cards. Scan after Pattern Update If you select the Scan after pattern update option in the Malware Protection Policies screen, Mobile Security will run an automatic-scan for security threats after successful pattern update on Android mobile devices.
Scan Actions
When malware is detected on a mobile device, Mobile Security can delete or quarantine the infected file. If the file is in use, the operating system may deny access to it. Deleteremoves an infected file Quarantinerenames and then moves an infected file to the mobile devices quarantine directory in\TmQuarantine (for Windows Mobile) or {Disk Label}\TmQuarantine (for Symbian OS). When connected, Mobile Device Agents send malware logs to the Mobile Security server.
Scan actions only apply to Real-time scan.
Note:
4-6
File Type and Compression Level Options For ZIP or CAB files, you can specify the number of compression layers to scan. If the number of compression in a ZIP/CAB file exceeds this number, Mobile Security will not scan the file. Mobile Security will take no further action unless the appropriate number of compression layers are specified. You can select to have Mobile Security scan executable, CAB/ZIP files, or all files on mobile devices.
4-7
Note:
The SMS approved and blocked list must use the format: "[name1:]number1;[name2:]number2;...". The 'name' length should not exceed 30 characters, while phone number should be between 4 and 20 characters long and can contain the following: 0-9, +, -, #, (, ) and spaces. The maximum number of entries should not exceed 200.
Note:
4-8
Note:
Firewall Policies
The Mobile Security firewall protects mobile devices on the network using stateful inspection, high performance network traffic control and the intrusion detection system (IDS). You can create rules to filter connections by IP address, port number, or protocol, and then apply the rules to mobile devices in specific Mobile Security groups.
Note: Trend Micro recommends uninstalling other software-based firewall applications on mobile devices before deploying and enabling Mobile Security firewall. Multiple vendor firewall installations on the same computer may produce unexpected results.
You can configure firewall policies for Mobile Security in Policy > Firewall Policies.
4-9
A firewall policy includes the following: Firewall Policy: Enable/Disable the Mobile Security firewall and the IDS. Also includes a general policy that blocks or allows all inbound and/or all outbound traffic on mobile devices Exception List: A list of configurable rules to block or allow various types of network traffic
Pre-defined Firewall Security Level The Mobile Security firewall comes with three pre-defined security levels that allow you to quickly configure firewall policies. These security levels limit network traffic based on traffic directions. Lowallow all inbound and outbound traffic. Normalallow all outbound traffic but block all inbound traffic. Highblock all inbound and outbound traffic.
Intrusion Detection System The Mobile Security firewall integrates the Intrusion Detection System (IDS) and helps prevent SYN Flood attacks (a type of Denial of Service attack) where a program sends multiple TCP synchronization (SYN) packets to a computer, causing the mobile device to continually send synchronization acknowledgment (SYN/ACK) responses. This can exhaust system resource and may leave mobile devices unable to handle other requests. Exception Rules Exception rules include more specific settings to allow or block different kinds of traffic based on mobile device port number(s) and IP address(es). The rules in the list override the Security level policy. Exception rule settings include the following: Actionblocks or allows/logs traffic that meets the rule criteria Directioninbound or outbound network traffic on mobile devices Protocoltype of traffic: TCP, UDP, ICMP Port(s)ports on the mobile devices on which to perform the action IP addressesIP addresses of network devices to which the traffic criteria apply
4-10
Permitted Applicationscontrol the applications installed on mobile devices by using approved and blocked lists. Select application services (for Android only): select the application service that you want to enable or disable on Android mobile devices, and add the application that uses this service to the approved or blocked list. Allow the installation of certain applications: add the applications to the approved list that you want to allow users to install on their mobile devices. If enabled, user will be able to install only the applications that you add to the approved list, and the installation of all the other applications will be blocked. Block the installation of certain applications: add the applications to the blocked list that you do not want users to install on their mobile devices. If enabled, user will not be able to install the applications that you add to this list, and the installation of all the other applications will be allowed.
4-11
Note:
Users can view only the published and categorized applications on their mobile devices.
Note:
Enterprise App Store is only available on Android and iOS mobile devices.
D ESCRIPTION
Passwords must contain only numbers or alphanumeric characters. Passwords must be longer than the number of characters specified. For alphanumeric passwords, users must configure passwords that contain upper case, lower case, special characters, or numbers to make passwords harder to guess.
TABLE 4-1.
Password Policies
4-12
O PTION
Initial Mobile Device Agent password
D ESCRIPTION
Password that allows users to log on to their Windows Mobile devices after installing the Mobile Device Agent and the Encryption Module. The default is "123456". Password used by an administrator to unlock a mobile Device. The number of days a logon password is valid. After the password expires, the user must configure a new password to log on. The number of minutes of no user activity before the mobile device automatically goes into secure mode and display the logon screen. Limit the number of logon attempts to prevent brute force password attack. Possible actions when the limit is reached:
Inactivity timeout
Soft resetrestarts the mobile device. Admin access onlyrequires logon using the
administrator password.
TABLE 4-1.
Password Policies
4-13
Note:
When specifying the characters for the initial or admin password, keep in mind the input method used by mobile devices. Otherwise, the device user may not be able to unlock the device after encryption is enabled.
Encryption Settings
Mobile Device Agent provides on-the-fly data encryption function to secure data on mobile devices. Two encryption algorithms are available: Advanced Encryption Standard (AES, with 128-bit, 192-bit, or 256-bit keys) and XTS-Advanced Encryption Standard (AES).
Note: Mobile Security can only manage the data security policy on Windows Mobile devices. The encryption module does not support Symbian mobile devices.
You can select specific file types to encrypt on Windows Mobile devices, the encryption algorithm to use, trusted applications that are allowed to access encrypted data, or apply data encryption on memory cards inserted on mobile devices. Mobile Device Agent does not encrypt Dynamic Link Library (*.DLL) files. Mobile Device Agent only encrypts files that a user has modified. Reading a file and closing it without any modifications does not result in the file being encrypted. After the Encryption Module is enabled, certain file types and PIM information are encrypted. These file types and PIM Information are listed in Table 4-2.
4-14
TABLE 4-2.
Encrypted Information
E NCRYPTED I NFORMATION
File Types
TYPES
PIM Information
The Encryption Module only allows trusted applications to access encrypted data. Therefore, the administrator must add these applications to the trusted application list. To add software to the trusted application list, add the full software path to the appropriate list under: "Allow more applications to access encrypted data".
Note: For advanced configuration, you can set Mobile Security to encrypt other file types. To enable encryption of custom file types, set the parameter Enable_Custom_Extension to 1 in the file TmOMSM.ini (located in \OfficeScan\Addon\Mobile Security). When the parameter is set to "1" in the file TmOMSM.ini, the Encrypt other file types field displays in the Data Security Policies screen. Specify the file types in this field. To disable this feature, set the parameter Enable_Custom_Extension to 0. When the parameter is set to "0" in the file TmOMSM.ini, the Encrypt other file types field is not available in the Data Security Policies screen. After making the change in the TmOMSM.ini file, restart OfficeScan Plug-in Manager service for the change to take effect.
4-15
WARNING! Trend Micro does not recommend customizing file types for encryption. You cannot encrypt certain files types (for example, .exe, .cert, .dll, etc.). If you set Mobile Security to encrypt file types that should not be encrypted, unexpected system errors may occur.
Supported Features/Components
You can control the availability of the following features on mobile devices: Camera Video conference Bluetooth & Bluetooth Discover: disabling this feature also disables ActiveSync via Bluetooth and external GPS connections. Memory cards Screen capture Applications installation Sync while roaming Voice dialing In App purchase Multiplayer gaming Add Game Center friends Force encrypted backups Explicit music & podcast
4-16
Infrared: disabling this feature on a mobile device blocks the incoming beam service (Receive all incoming beams). USB storage WLAN/WIFI Serial: disabling this feature also disables ActiveSync via USB using a pseudo serial connection and external GPS connections. This could also disable certain infrared and Bluetooth services. Speaker/speakerphone/microphone Microsoft ActiveSync MMS/SMS: disabling this feature blocks all incoming and outgoing messages; including messages sent by Mobile Security. Memory cards GPS: disabling this feature only blocks the internal GPS feature (applicable only if the mobile device has an in-built GPS component) and external GPS connections based on GPSID (GPS Intermediate Driver). External GPS connections using the serial port are not affected. Siri Cloud Backup Cloud Document Sync Photo Stream Diagnostic Data Accept untrusted Transport Layer Security (TLS) Force iTunes Store Password YouTube iTunes Safari AutoFil JavaScript Popups Force fraud warning
Additionally, you can control the following features for iOS mobile devices:
4-17
Accept cookies
WARNING! Use caution while disabling WLAN/WIFI and/or Microsoft ActiveSync. The mobile device may not be able to communicate with the server if both these options are unavailable.
You can also add access point(s) for Android mobile devices to control the availability of the device components within the range of those access point(s).
4-18
Compliance Policy
Compliance policy enables you to set the compliance criteria for the mobile devices. If any mobile device does not match the criteria, Mobile Security displays its non-compliance status on the server UI. Mobile Security also sends an email to the non-complying iOS mobile device, while it displays a notification on non-complying Android mobile devices. The compliance check list includes: Rooted/Jailbrokenchecks whether the mobile device is rooted/jailbroken or not. Unencryptedchecks whether the encryption is enabled on the mobile device or not OS version checkchecks whether the OS version matches the defined criteria or not.
4-19
4-20
Chapter 5
Updating Components
This chapter shows you how to configure scheduled and manual server updates and then specify the update source for ActiveUpdate. You will also learn to perform component updates on specific Mobile Device Agents. The chapter includes the following sections: About Component Updates on page 5-2 Server Update on page 5-2 Device Update on page 5-6 Manually Updating a local AU server on page 5-9
5-1
Server Update
You can configure scheduled or manual component updates on the Mobile Security server to obtain the latest component files from the ActiveUpdate server. After a newer version of a component is downloaded on Mobile Security server, the Mobile Security server automatically notifies mobile devices to update components. You can perform updates manually, or let Mobile Security perform them according to a schedule.
1. 2. 3.
Log on to the OfficeScan Web console and click Plug-in Manager. Click the Manage Program button for Mobile Security. Click Updates > Server Update. The Server Update screen appears.
5-2
Updating Components
4.
On the Manual tab, select the check box of the component you want to update. Select the Anti-Malware Components, Program and/or Program Installation Package check box(es) to select all components in that group. This screen also displays the current version of each component and the time the component was last updated. Refer to About Component Updates on page 5-2 for more information on each update component. Click Update to start the component update process
FIGURE 5-1.
1. 2.
Log on to the OfficeScan Web console and click Plug-in Manager. Click the Manage Program button for Mobile Security.
5-3
3.
Click Updates > Server Update and click the Scheduled tab. The Scheduled Update screen appears. Select the check box of the component you want to update. Select the Anti-Malware Components, Program and/or Program Installation Package check box(es) to select all components in that group. This screen also displays each components current version and the time the component was last updated. Under Update Schedule, configure the time interval to perform a server update. The options are Hourly, Daily, Weekly, and Monthly. For weekly schedules, specify the day of the week (for example, Sunday, Monday, and so on.) For monthly schedules, specify the day of the month (for example, the first day, or 01, of the month and so on).
The Update for a period of x hours feature is available for the Daily, Weekly, and Monthly options. This means that your update will take place sometime within the x number of hours specified, following the time selected in the Start time field. This feature helps with load balancing on the ActiveUpdate server.
4.
Note:
5.
5-4
Updating Components
FIGURE 5-2.
1. 2.
Log on to the OfficeScan Web console and click Plug-in Manager. Click the Manage Program button for Mobile Security.
5-5
3.
Click Updates > Server Update. For more information about the server update see Manual Server Update on page 5-2 or for scheduled update see Scheduled Server Update on page 5-3. Click the Source tab and select one of the following download sources: Trend Micro ActiveUpdate serverthe default update source. Other update sourcespecify HTTP or HTTPS Web site (for example, your local Intranet Web site), including the port number that should be used from where Mobile Device Agents can download updates.
The updated components have to be available on the update source (Web server). Provide the host name or IP address, and directory (for example, https://12.1.123.123:14943/source).
4.
Note:
5.
FIGURE 5-3.
Device Update
Registered Mobile Device Agents can connect to either the Communication Server to obtain the latest scan engine, malware pattern, or program patch files. When an updated file is available on the Mobile Security server, an SMS update message is sent to Mobile Device Agents to install the new components. In addition, you can set Mobile Device Agents to regularly check for any component updates on the Mobile Security server.
5-6
Updating Components
Types of Updates
Mobile Security has three types of updates.
TABLE 5-1. TYPE
Manual Automatic Mobile Security Updates
D ESCRIPTION
User-initiated; users can run these updates anytime. Runs whenever a user initiates a network connection on their mobile device if the minimum check-in interval has elapsed. Runs at specified intervals regardless whether other updates run within the interval period; forced updates open the default wireless connection if the device is not connected to the Mobile Security Management Server.
Forced
Use the Device Update screen to send an update notification to all mobile devices with out-of-date components or the mobile devices you select.
Note: You can also configure devices to perform scheduled component updates. For more information, refer to Update Settings on page 4-4 and/or the Users Guide for your mobile device
1. 2. 3.
Log on to the OfficeScan Web console and click Plug-in Manager. Click the Manage Program button for Mobile Security. Click Updates > Device Update. The Device Update screen displays. You can see the current component versions for each supported device and the time the components were last updated.
5-7
4.
Specify which devices to send update notifications: Select All devices with outdated components to send update notifications to all mobile devices with an older component version. This is the default selection. Choose Select devices manually to display the device tree that enables you to choose devices you want to send update notifications and download new components.
5.
Click Update. Depending on your selection, Mobile Security server searches for all mobile devices with an out-of-date component and notifies them to perform a component update on those mobile devices, or notifies the selected mobile devices.
FIGURE 5-4.
5-8
Updating Components
1. 2. 3.
Obtain the installation package from your Trend Micro sales representative. Extract the installation package. Copy the folders TmmsServerAu and TmmsClientAu to the directory where the virtual directory TmmsAu is located (refer to the section Installing Server Components with a Local Update Source in Chapter 1 of the Installation and Deployment Guide, for how to create the virtual directory). If prompted, accept to overwrite any existing folders in the directory.
Note: When using a Local AU Server, you should check for updates periodically.
5-9
5-10
Chapter 6
6-1
1. 2. 3.
6-2
4.
Specify the query criteria for the logs you want to view. The parameters are: Time periodselect a predefined date range. Choices are All, Last 24 hours, Last 7 days, and Last 30 days. If the period you require is not covered by the above options, select Range and specify a date range. Fromtype the date for the earliest log you want to view. Click the icon to select a date from the calendar. Totype the date for the latest log you want to view. Click the icon to select a date from the calendar. Sort byspecify the order and grouping of the logs.
5.
FIGURE 6-1.
E VENT L OG M ESSAGE
Add device on console (causes a mobile device registration; also logged) Delete device in console (causes a mobile device unregistration; also logged) Administrator changes the mobile device name or phone number Administrator changes the group of the mobile device
TABLE 6-1.
6-3
E VENT L OG M ESSAGE
Master Service receives a registration request from a mobile device Master Service receives an unregistration request from a mobile device
TABLE 6-1.
E RROR C ODE
-200 -202 -203 -204
E RROR TEXT
Operation failed for general error. Please try the operation again. Device does not exist, it may have been removed by another session. Group does not exist, it may have been removed by another session. The phone number has already been assigned to another mobile device, please use a different phone number and try again. Event log error codes
TABLE 6-2.
Log Maintenance
When Mobile Device Agents generate event logs about security risk detection, the logs are sent and stored on the Mobile Security Management Module. Use these logs to assess your organization's protection policies and identify mobile devices that face a higher risk of infection or attack. To keep the size of your Mobile Device Agent logs from occupying too much space on your hard disk, delete the logs manually or configure Mobile Security Management Module to delete the logs automatically based on a schedule in the Log Maintenance screen.
6-4
1. 2. 3. 4. 5. 6. 7. 8. 1. 2. 3. 4. 5. 6.
Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Logs > Log Maintenance. The Log Maintenance screen displays. Select Enable scheduled deletion of logs. Select the log types to delete: Malware, Firewall, Encryption or Event. Select whether to delete logs for all the selected log types or those older than the specified number of days. Specify the log deletion frequency and time. Click Save. Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Logs > Log Maintenance. The Log Maintenance screen displays. Select whether to delete logs for all the selected log types or only older than the specified number of days. Select the log types to delete. Click Delete Now.
6-5
6-6
Chapter 7
7-1
1. 2. 3. 4. 5. 6.
Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Notification > Settings. The Notification Settings screen displays. In Email Settings section, type the From email address, the SMTP server IP address and its port number. If the SMTP server requires authentication, select Authentication, and then type the username and password. Click Save.
7-2
Use the SMS Sender Settings to: configure SMS sender phone numbers view SMS sender connection status set Mobile Device Agent installation message delete or view SMS messages waiting to be sent configure SMS sender disconnect notification
1. 2. 3.
Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Notification > Settings. The Notification Settings screen displays. In SMS Sender Settings section, the list of SMS sender phone numbers and the connection status are displayed. If the SMS sender is connected to the Communication Server successfully, the Status field displays Connected.
After three (3) failed attempts to send an SMS message(s), the mobile device will display "disconnected".
Note:
7-3
1. 2. 3. 4. 5.
unregister from the Mobile Security Management Module update Mobile Device Agent components synchronize security policy settings with the Mobile Security Management Module remote wipe the mobile device remote lock the mobile device remote locate the mobile device Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Notification > Settings. The Notification Settings screen displays. In SMS Sender Settings section, click Add, type the phone number of an SMS sender and click Save. The SMS sender appears in the list. Check that the Status field displays "Connected" for the number you have configured. If the Status field displays "Disconnected", make sure the SMS sender device is connected to the Communication Server.
Note: Existing SMS senders can be modified by clicking the phone number.
7-4
FIGURE 7-1.
Monitoring SMS Senders Mobile Security can monitor the status of SMS Senders and send out email notifications if any of the SMS Senders is disconnected for more than ten minutes. Additionally, the SMS Sender device also displays the connection status: Agent stopped, Agent running, Agent not in use, or Agent disconnected. Refer to Administrator Notifications and Scheduled Reports on page 7-5 for the configuration details.
7-5
Reports: Devices Inventory Reportis the comprehensive report of all the mobile devices managed by Mobile Security. Compliance Violation Reportis the report of all the mobile devices managed by Mobile Security that do not comply with the configured policy. Malware Detection Reportis the report of all the security threats detected on mobile devices managed by Mobile Security. Web Threat Protection Reportis the report of all the unsafe URLs accessed on mobile devices managed by Mobile Security. Application Inventory Reportis the report of all the apps installed on mobile devices managed by Mobile Security.
1. 2. 3. 4.
Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Notifications/Reports > Administrator Notifications/Reports. Select the notifications and reports you want to receive via email, and then click on individual notifications and reports to modify their contents.
Note: While editing the Message field in email notification messages, make sure to include the token variables <%PROBLEM%>, <%REASON%> and <%SUGGESTION%>, which will be replaced by the actual values in the email message.
5.
Click Save when done, to return back to the Administrator Notifications/Reports screen.
User Notification
Use the User Notifications screen to configure the following email and/or SMS text message notification: Mobile Device Enrollmentsends email and/or a text message to notify mobile devices to download and install Mobile Device Agent. Token variable <%DOWNLOADURL%> will be replaced by the actual URL of the setup package.
7-6
Policy Violationsends email notification to mobile devices if the compliance criteria is not met. Token variables <%DEVICE%> and <%VIOLATION%> will be replaced by the mobile devices name in the email, and the policies that it violates. Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security. Click Notifications/Reports > User Notifications. Select the notifications you want to send to user via email or text message, and then click on individual notifications to modify their contents. To configure email notification messages, update the following details as required: Subject: The subject of the email message. Message: The body of the email message.
While editing the Message field, make sure to include the token variables <%DOWNLOADURL%> or <%DEVICE_NAME%> and <%VIOLATION%>, which will be replaced by the actual URLs in the email message.
1. 2. 3. 4.
Note:
To configure text notification messages, update the body of the message in the Message field.
Note: While editing the Message field, make sure to include the token variables <%DOWNLOADURL%>, which will be replaced by the actual URL in the text message.
5.
Click Save when done, to return back to the User Notifications screen.
7-7
7-8
Chapter 8
8-1
1.
To begin the installation, open the Data Recovery Tool installer file TmmsDataRecoverySetup.exe. The installation wizard starts with the Welcome screen. Click Next.
FIGURE 8-1.
Welcome screen
2.
The License Agreement screen appears. Select I accept the terms of the license agreement and click Next.
8-2
FIGURE 8-2.
3.
The Destination Folder screen appears. Click Change to change the folder. Otherwise, click Next to accept the default folder.
FIGURE 8-3.
4.
The Ready to Install the Program screen appears. Click Install to install the program.
8-3
FIGURE 8-4.
5.
When the InstallShield Wizard Completed screen appears, click Finish to exit the wizard.
FIGURE 8-5.
8-4
1. 2. 3.
Obtain the files to be decrypted from the user. Create and download the policy file from the UI by logging on to the Management Server., then log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security, and then click Device > {Group} > Policy > Encryption and Password Policy. The Encryption and Password Policies window displays. On the Windows Mobile tab, click Download Recovery File.
4.
FIGURE 8-6.
8-5
5.
Open the tool by clicking Start > Programs > Trend Micro > Trend Micro TMMS Recovery Tool > Launch TmmsDataRecovery.exe. Type: the location of the recovery file (the correct recovery file MUST be usedsee note that follows) the location of the user file(s) to be decrypted (multiple files can be selected) the location where the decrypted files will be placed (the destination folder cannot be the same as the location of the files you want to decrypt)
6.
FIGURE 8-7.
Note:
The recovery file for the Data Recovery Tool is associated with a particular group. The recovery file contains history of keys that generated with administrator's password, which works as a decryption key. If the key in the recovery file is incorrect, but the password is correct, the target file cannot be decrypted correctly. Therefore, the correct recovery file MUST be used.
7.
A pop-up screen appears. Type the administrator password and click OK to start decrypting the files.
8-6
FIGURE 8-8.
Password entry
8.
Upon completion, the following screen appears. Click OK to end, or View Log to view the decryption logs.
FIGURE 8-9.
Encryption completed
9.
8-7
The log file lists the decryption log entries and the result.
8-8
Chapter 9
9-1
Troubleshooting
This section provides tips for dealing with issues you may encounter when using Mobile Security.
OfficeScan does not display the updated Plug-in Manager version for Mobile Security.
If a new version of Management Server is available on the ActiveUpdate server and your Mobile Security server does not display the version number properly, restart the Plug-in Manager on the Mobile Security server.
The OfficeScan Web console prompts me to install TMMS_AtxConsole.cab every time I access the Device Management screen for Mobile Security.
You have configured Internet Explorer to use a higher security level. To resolve this problem, return the security level for Internet Explorer to the default policy.
Unable to access the management console for Mobile Security through Control Manager.
Mobile Security does not support remote management through Control Manager.
The status of an SMS sender is always disconnected.
1. 2.
Make sure the phone services for the SMS senders are still available. For example, check that you have paid the phone bills and the services are not terminated. If you connect an SMS sender to a host computer using ActiveSync and a firewall is installed on the Communication Server, you must configure a firewall rule to allow traffic on port 5721. Otherwise, the SMS sender cannot receive instructions from the server to send messages to mobile devices. Check that SMS senders are connected to the Communication Server. Make sure the phone services for the SMS senders are still available. For example, check that you have paid the phone bills and the services are not terminated. If you installed SMS sender and Mobile Device Agent on the same mobile device, and a firewall is installed on the Communication Server, you must configure a firewall rule to allow traffic on port 5721. Otherwise, the SMS sender cannot receive instructions from the server to send messages to mobile devices.
9-2
Change the encoding method on SMS senders and try again. By default, SMS senders use the unicode encoding method when sending messages. Select "7-bit GSM" if service providers do not support unicode encoding.
Mobile device keyboards can only support a certain set of characters. Trend Micro recommends that the administrator compile a list of characters supported by the devices. After compiling the list of supported characters, the administrator can then set the uninstall protection password from the management console using the list of supported characters.
The Mobile Security agent cannot receive the server's SMS notification or connect to the server via the public DNS name.
The version of Mobile Security agent supporting a DNS name should be higher than 5.0.0.1099 for Windows Mobile platform and higher than 5.0.0.1061 for Symbian OS 9.x S60 3rd Edition platform. Previous versions can connect via IP address only.
Sync Flood Attack
The firewall may pop up a SYN Flood warning dialog when an administrator is using the Mobile Security 7 web console remotely/locally. This is an Intrusion Detection System (IDS) warning from the firewall. It is caused by the OfficeScan web server that doesn't have the "Keep alive" option enabled. This option should be enabled in order to keep this message from reappearing. See your web server documentation for instructions on how to do this.
Application(s) fail to function after enabling Encryption Module.
When a user uses the Encryption Module on a device, some existing applications may not function. The reason is that these existing applications may be not be contained in the trusted list. After the Encryption Module is enabled, certain file types will be encrypted (for example, doc, txt, ppt, pdf, xls and etc). The Encryption Module only allows trusted applications to access encrypted data. Therefore, the administrator must add these applications to the trusted application list. For more information see Encryption Settings on page 4-14.
9-3
On the OfficeScan Management console, the device component status or configuration status displays "Out-of-date after the Mobile Device Agent successfully updates.
If Management Server and Communication Server are not accessible during the update, the Mobile Device Agent will update from Trend Micros official AU server. In this case, the update may succeed, but the Mobile Device Agent will not sync with the Communication Server. This will cause the device's component status or configuration status to be out-of-date.
After canceling the Communication Server uninstallation process, the Communication Server fails to function normally.
If the uninstallation process started deleting the files and services that are important for the Communication Servers normal operation before the process was stopped, the Communication Server may not function normally. To resolve this issue, install and configure the Communication Server again.
iOS mobile devices cannot enroll successfully to the Management Server, and displays "Unsupported URL" error message.
This issue may happen if the system clock of SCEP server is set to the incorrect time or the Simple Certificate Enrollment Protocol (SCEP) certificate is not obtained by Trend Micro Mobile Security. Make sure that the system clock of SCEP server is set to the correct time. If the issue persists, perform the following steps: 1. 2. 3. Log on to the OfficeScan Web console and click Plug-in Manager. Click Manage Program for Mobile Security, and then click Administration > Communication Server Settings. Without changing the settings, click Save.
The Management Server cannot receive policy from the BlackBerry Enterprise Server (BES).
The Communication Server cannot receive the policy from the BlackBerry Enterprise Server (BES) if the policy name contains special characters. Check if the policy name contain any special characters and replace them with alphabets and numbers.
9-4
After performing the upgrade on the Management Server, the device management page is not displayed.
The Device Management page uses Active X to display various data on the page. Performing the upgrade on the Management Server replaces the old Active X on the server. You must restart the Management Server to enable Internet Explorer to use the latest Active X. If the problem persists even after restarting the Management Server, then perform the following steps: 1. 2. 3. Close Internet Explorer. Go to the directory C:\Windows\Downloaded Program Files and delete TMMS_AtxConsole.ocx. Open Internet Explorer, and log on to the OfficeScan Web console to access Trend Micro Mobile Security.
If you are using SQL Server Express, use the following format in the Server address field: <SQL Server Express IP address>\sqlexpress.
Note: Replace <SQL Server Express IP address> with the IP address of SQL
Server Express.
Unable to connect to SQL Server 2005 or SQL Server 2005 Express.
This problem may occur when SQL Server 2005 is not configured to accept remote connections. By default, SQL Server 2005 Express Edition and SQL Server 2005 Developer Edition do not allow remote connections. To configure SQL Server 2005 to allow remote connections, complete all the following steps: 1. 2. 3. Enable remote connections on the instance of SQL Server that you want to connect to from a remote computer. Turn on the SQL Server Browser service. Configure the firewall to allow network traffic that is related to SQL Server and to the SQL Server Browser service.
9-5
This problem may occur if Visual Studio 2008 is not installed in the default location and therefore, the SQL Server 2008 setup cannot find devenv.exe.config configuration file. To resolve this issue, perform the following steps: 1. Go to <Visual Studio installation folder>\Microsoft Visual Studio 9.0\Common7\IDE folder, find and copy devenv.exe.config file and paste it to the following folder (you may need to enable display extensions for known file types in folder options): For 64-bit Operating System: C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE For 32-bit Operating System: C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE 2. Run the SQL Server 2008 setup again and add BIDS feature to the existing instance of SQL Server 2008.
This may occur if the downloading of encrypted files is disabled in the Internet Explorer. Perform the following steps to enable the encrypted files download: 1. 2. 3. On your Internet Explorer, go to Tools > Internet options, and then click the Advanced tab on the Internet Options window. Under Security section, clear Do not save encrypted pages to disk. Click OK.
This is because the Mobile Security device administrator is not activated on that mobile device. If the user does not activate Mobile Security in the Device administrators list, then the Mobile Security cannot synchronize server policies with the mobile device, and displays its status as Out of Sync.
9-6
The content on the Policy pop-up window does not display and is blocked by Internet Explorer.
This happens if your Internet Explorer is configured to use a .pac automatic configuration file. In that case, the Internet Explorer will block the access to a secure Web site that contains multimple frames. To resolve this issue, add the Mobile Security server address to the Trusted sites security zone in Internet Explorer. To do this, perform the following steps: 1. 2. 3. 4. 5. Start Internet Explorer. On the Tools menu, click Internet options. On the Security tab, click Trusted sites, and then click Sites. In the Add this Web site to the zone text field, type the Mobile Security server URL, and then click Add. Click OK.
For more details on this issue, refer to the following URL: http://support.microsoft.com/kb/908356
On Internet Explorer 9, the Mobile Security management console does not display correctly.
If you are using Internet Explorer 9 to access the Mobile Security management console, turn on the Web browsers Compatibility View for the Web site. To do this, perform the following steps: 1. 2. 3. On Internet Explorer, access the OfficeScan Web console URL. On the Tools menu, click Compatibility View settings. The Compatibility View Settings window displays. Click Add to add the Web site address to the compatibility list, and then click Close.
9-7
9-8
Product Activation Code Product Build version Exact text of the error message, if any Steps to reproduce the problem
TrendLabs
Trend Micro TrendLabsSM is a global network of anti-malware research centers that provide continuous 24x7 coverage to Trend Micro customers around the world. Staffed by a team of more than 800 engineers and skilled support personnel, the TrendLabs dedicated service centers in Paris, Munich, Manila, Taipei, Tokyo, and Irvine, CA ensure a rapid response to any malware outbreak or urgent customer support issue, anywhere in the world. The TrendLabs modern headquarters, in a major Metro Manila IT park, has earned ISO 9002 certification for its quality management procedures in 2000one of the first anti-malware research and support facilities to be so accredited. Trend Micro believes TrendLabs is the leading service and support team in the anti-malware industry.
9-9
Check the Trend Micro Knowledge Base to search for released hot fixes: http://esupport.trendmicro.com Consult the Trend Micro Web site regularly to download patches and service packs: http://www.trendmicro.com/download All releases include a readme file with the information needed to install, deploy, and configure your product. Read the readme file carefully before installing the hot fix, patch, or service pack file(s).
9-10
Known Issues
Known issues are features in Mobile Security that may temporarily require a workaround. Known issues are typically documented in the Readme document you received with your product. Readmes for Trend Micro products can also be found in the Trend Micro Download Center: http://www.trendmicro.com/download/ Known issues can be found in the technical support Knowledge Base: http://esupport.trendmicro.com
Note: Trend Micro recommends that you always check the Readme text for information on known issues that could affect installation or performance, as well as a description of whats new in a particular release, system requirements, and other tips.
9-11
9-12